diff --git a/drm-i915-bounds-check-execbuffer-relocation-count.patch b/drm-i915-bounds-check-execbuffer-relocation-count.patch new file mode 100644 index 000000000..1377a5285 --- /dev/null +++ b/drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -0,0 +1,100 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.169.233 with SMTP id ah9csp107244oac; + Mon, 11 Mar 2013 17:32:43 -0700 (PDT) +X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048; + Mon, 11 Mar 2013 17:32:43 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12; + Mon, 11 Mar 2013 17:32:43 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754633Ab3CLAbx (ORCPT + 99 others); + Mon, 11 Mar 2013 20:31:53 -0400 +Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754446Ab3CLAbx (ORCPT ); + Mon, 11 Mar 2013 20:31:53 -0400 +Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) + by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342; + Mon, 11 Mar 2013 17:31:45 -0700 +Date: Mon, 11 Mar 2013 17:31:45 -0700 +From: Kees Cook +To: linux-kernel@vger.kernel.org +Cc: Daniel Vetter , + David Airlie , + dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, + Julien Tinnes , marcheu@chromium.org +Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count +Message-ID: <20130312003145.GA28993@www.outflux.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: www.outflux.net +X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +It is possible to wrap the counter used to allocate the buffer for +relocation copies. This could lead to heap writing overflows. + +CVE-2013-0913 + +v3: collapse test, improve comment +v2: move check into validate_exec_list + +Signed-off-by: Kees Cook +Reported-by: Pinkie Pie +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index b3a40ee..094ba41 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + int count) + { + int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + + for (i = 0; i < count; i++) { + char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; +@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) + return -EINVAL; + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); +-- +1.7.9.5 + + +-- +Kees Cook +Chrome OS Security +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index cc545ce9b..a38f224be 100644 --- a/kernel.spec +++ b/kernel.spec @@ -745,6 +745,9 @@ Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch #CVE-2013-0914 rhbz 920499 920510 Patch21270: signal-always-clear-sa_restorer-on-execve.patch +#CVE-2013-0913 rhbz 920471 920529 +Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch + Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -1448,6 +1451,9 @@ ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch #CVE-2013-0914 rhbz 920499 920510 ApplyPatch signal-always-clear-sa_restorer-on-execve.patch +#CVE-2013-0913 rhbz 920471 920529 +ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch + # END OF PATCH APPLICATIONS %endif @@ -2290,6 +2296,7 @@ fi # || || %changelog * Tue Mar 12 2013 Josh Boyer +- CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529) - CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) * Tue Mar 12 2013 Dave Airlie