Update to 4.10-rc6
This commit is contained in:
parent
b476f54cc9
commit
6b038a62ac
|
@ -1,4 +1,4 @@
|
|||
linux (4.10~rc5-1~exp1) UNRELEASED; urgency=medium
|
||||
linux (4.10~rc6-1~exp1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream release candidate
|
||||
|
||||
|
|
|
@ -1,80 +0,0 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Tue, 24 Jan 2017 15:18:24 -0800
|
||||
Subject: fbdev: color map copying bounds checking
|
||||
Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
|
||||
|
||||
Copying color maps to userspace doesn't check the value of to->start,
|
||||
which will cause kernel heap buffer OOB read due to signedness wraps.
|
||||
|
||||
CVE-2016-8405
|
||||
|
||||
Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
|
||||
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Peter Pi (@heisecode) of Trend Micro
|
||||
Cc: Min Chong <mchong@google.com>
|
||||
Cc: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
||||
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
|
||||
1 file changed, 14 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
|
||||
index f89245b8ba8e..68a113594808 100644
|
||||
--- a/drivers/video/fbdev/core/fbcmap.c
|
||||
+++ b/drivers/video/fbdev/core/fbcmap.c
|
||||
@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
|
||||
|
||||
int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
|
||||
{
|
||||
- int tooff = 0, fromoff = 0;
|
||||
- int size;
|
||||
+ unsigned int tooff = 0, fromoff = 0;
|
||||
+ size_t size;
|
||||
|
||||
if (to->start > from->start)
|
||||
fromoff = to->start - from->start;
|
||||
else
|
||||
tooff = from->start - to->start;
|
||||
- size = to->len - tooff;
|
||||
- if (size > (int) (from->len - fromoff))
|
||||
- size = from->len - fromoff;
|
||||
- if (size <= 0)
|
||||
+ if (fromoff >= from->len || tooff >= to->len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
|
||||
+ if (size == 0)
|
||||
return -EINVAL;
|
||||
size *= sizeof(u16);
|
||||
|
||||
@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
|
||||
|
||||
int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
|
||||
{
|
||||
- int tooff = 0, fromoff = 0;
|
||||
- int size;
|
||||
+ unsigned int tooff = 0, fromoff = 0;
|
||||
+ size_t size;
|
||||
|
||||
if (to->start > from->start)
|
||||
fromoff = to->start - from->start;
|
||||
else
|
||||
tooff = from->start - to->start;
|
||||
- size = to->len - tooff;
|
||||
- if (size > (int) (from->len - fromoff))
|
||||
- size = from->len - fromoff;
|
||||
- if (size <= 0)
|
||||
+ if (fromoff >= from->len || tooff >= to->len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
|
||||
+ if (size == 0)
|
||||
return -EINVAL;
|
||||
size *= sizeof(u16);
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From: Eric Anholt <eric@anholt.net>
|
||||
Date: Wed, 18 Jan 2017 07:20:49 +1100
|
||||
Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
|
||||
Origin: https://lkml.org/lkml/2017/1/17/761
|
||||
|
||||
We copy the unvalidated ioctl arguments from the user into kernel
|
||||
temporary memory to run the validation from, to avoid a race where the
|
||||
user updates the unvalidate contents in between validating them and
|
||||
copying them into the validated BO.
|
||||
|
||||
However, in setting up the layout of the kernel side, we failed to
|
||||
check one of the additions (the roundup() for shader_rec_offset)
|
||||
against integer overflow, allowing a nearly MAX_UINT value of
|
||||
bin_cl_size to cause us to under-allocate the temporary space that we
|
||||
then copy_from_user into.
|
||||
|
||||
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||
---
|
||||
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
|
||||
args->shader_rec_count);
|
||||
struct vc4_bo *bo;
|
||||
|
||||
- if (uniforms_offset < shader_rec_offset ||
|
||||
+ if (shader_rec_offset < args->bin_cl_size ||
|
||||
+ uniforms_offset < shader_rec_offset ||
|
||||
exec_size < uniforms_offset ||
|
||||
args->shader_rec_count >= (UINT_MAX /
|
||||
sizeof(struct vc4_shader_state)) ||
|
|
@ -1,27 +0,0 @@
|
|||
From: Eric Anholt <eric@anholt.net>
|
||||
Date: Wed, 18 Jan 2017 07:20:50 +1100
|
||||
Subject: drm/vc4: Return -EINVAL on the overflow checks failing.
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5577
|
||||
Origin: https://lkml.org/lkml/2017/1/17/759
|
||||
|
||||
By failing to set the errno, we'd continue on to trying to set up the
|
||||
RCL, and then oops on trying to dereference the tile_bo that binning
|
||||
validation should have set up.
|
||||
|
||||
Reported-by: Ingo Molnar <mingo@kernel.org>
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||
---
|
||||
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, stru
|
||||
sizeof(struct vc4_shader_state)) ||
|
||||
temp_size < exec_size) {
|
||||
DRM_ERROR("overflow in exec arguments\n");
|
||||
+ ret = -EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
|
@ -92,9 +92,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/fbdev-color-map-coying-bounds-checking.patch
|
||||
bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
|
||||
bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue