From 99ffffefccc59d66b7313b3dcf526cf7e6672aaf Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 25 Jan 2017 11:32:26 -0600 Subject: [PATCH] Linux v4.10-rc5-107-g883af14 --- ...rflow_in_temporary_allocation_layout.patch | 82 +++++++++++++++++++ gitrev | 2 +- kernel.spec | 9 +- sources | 2 +- 4 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch diff --git a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch new file mode 100644 index 000000000..37f012073 --- /dev/null +++ b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch @@ -0,0 +1,82 @@ +From: Eric Anholt +To: dri-devel@lists.freedesktop.org +Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary + allocation layout. +Date: Wed, 18 Jan 2017 07:20:49 +1100 + +We copy the unvalidated ioctl arguments from the user into kernel +temporary memory to run the validation from, to avoid a race where the +user updates the unvalidate contents in between validating them and +copying them into the validated BO. + +However, in setting up the layout of the kernel side, we failed to +check one of the additions (the roundup() for shader_rec_offset) +against integer overflow, allowing a nearly MAX_UINT value of +bin_cl_size to cause us to under-allocate the temporary space that we +then copy_from_user into. + +Reported-by: Murray McAllister +Signed-off-by: Eric Anholt +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +--- + drivers/gpu/drm/vc4/vc4_gem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index db920771bfb5..c5fe3554858e 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) + args->shader_rec_count); + struct vc4_bo *bo; + +- if (uniforms_offset < shader_rec_offset || ++ if (shader_rec_offset < args->bin_cl_size || ++ uniforms_offset < shader_rec_offset || + exec_size < uniforms_offset || + args->shader_rec_count >= (UINT_MAX / + sizeof(struct vc4_shader_state)) || +-- +2.11.0 + +_______________________________________________ +dri-devel mailing list +dri-devel@lists.freedesktop.org +https://lists.freedesktop.org/mailman/listinfo/dri-devel + +From: Eric Anholt +To: dri-devel@lists.freedesktop.org +Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing. +Date: Wed, 18 Jan 2017 07:20:50 +1100 + +By failing to set the errno, we'd continue on to trying to set up the +RCL, and then oops on trying to dereference the tile_bo that binning +validation should have set up. + +Reported-by: Ingo Molnar +Signed-off-by: Eric Anholt +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index c5fe3554858e..ab3016982466 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) + sizeof(struct vc4_shader_state)) || + temp_size < exec_size) { + DRM_ERROR("overflow in exec arguments\n"); ++ ret = -EINVAL; + goto fail; + } + +-- +2.11.0 + +_______________________________________________ +dri-devel mailing list +dri-devel@lists.freedesktop.org +https://lists.freedesktop.org/mailman/listinfo/dri-devel + diff --git a/gitrev b/gitrev index 32cfbda13..a47156412 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -a4685d2f58e2230d4e27fb2ee581d7ea35e5d046 +883af14e67e8b8702b5560aa64c888c0cd0bd66c diff --git a/kernel.spec b/kernel.spec index 0b00f8208..d22267040 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 5 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -590,6 +590,9 @@ Patch851: Armada-trace-build-fix.patch # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch +#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439 +Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch + # END OF PATCH DEFINITIONS %endif @@ -2160,6 +2163,10 @@ fi # # %changelog +* Wed Jan 25 2017 Justin M. Forbes - 4.10.0-0.rc5.git2.1 +- Linux v4.10-rc5-107-g883af14 +- CVE-2017-5576 CVE-2017-5577 vc4 overflows (rhbz 1416436 1416437 1416439) + * Tue Jan 24 2017 Justin M. Forbes - 4.10.0-0.rc5.git1.1 - Linux v4.10-rc5-71-ga4685d2 diff --git a/sources b/sources index bbd62b66c..6813fba6d 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 SHA512 (patch-4.10-rc5.xz) = 5c51bce76af4e6f4637aaa059a9211c958d3d26332ef9efab421586069b1df5610b781908359da325dd114c9a6567f45be45a3c6bae6830586af69669d05910a -SHA512 (patch-4.10-rc5-git1.xz) = 3a9c5193d80217069e3e1c61a110d0705f607442cfcfa801d1da61ce41b5a824ea7fd65c9273272f11469ef4caf8655f63139835fa1b7a0e89f7c2a82b379bc5 +SHA512 (patch-4.10-rc5-git2.xz) = ee952ac86845d1316e0be99b9b01b49f23fe938a643b8b5737c92436882f703282ef682de977957e7482e4eb3ce9ad543e9b528e9b4355a09a09b1c5d7d78e7b