debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

[x86] drm/i915/cmdparser: Fix jump whitelist clearing 

Fix a flaw I found in the mitigation for CVE-2019-0155.
This commit is contained in:
Ben Hutchings 2019-11-10 22:41:41 +00:00
parent feec1caa94
commit 6d8b0092bb
3 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -43,6 +43,7 @@ linux (4.19.67-2+deb10u2) UNRELEASED; urgency=medium
- drm/i915/cmdparser: Use explicit goto for error paths
- drm/i915/cmdparser: Add support for backward jumps
- drm/i915/cmdparser: Ignore Length operands during command matching
- drm/i915/cmdparser: Fix jump whitelist clearing
* [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
- drm/i915: Lower RM timeout to avoid DSI hard hangs
- drm/i915/gen8+: Add RC6 CTX corruption WA

44
debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch vendored Normal file
View File

@ -0,0 +1,44 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 10 Nov 2019 22:08:12 +0000
Subject: drm/i915/cmdparser: Fix jump whitelist clearing
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155
When a jump_whitelist bitmap is reused, it needs to be cleared.
Currently this is done with memset() and the size calculation assumes
bitmaps are made of 32-bit words, not longs. So on 64-bit
architectures, only the first half of the bitmap is cleared.
If some whitelist bits are carried over between successive batches
submitted on the same context, this will presumably allow embedding
the rogue instructions that we're trying to reject.
Use bitmap_zero() instead, which gets the calculation right.
Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps")
Cc: stable@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/i915_cmd_parser.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c
+++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
@@ -1374,7 +1374,7 @@ static void init_whitelist(struct i915_g
return;
if (batch_cmds <= ctx->jump_whitelist_cmds) {
- memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32));
+ bitmap_zero(ctx->jump_whitelist, batch_cmds);
return;
}
@@ -1394,8 +1394,7 @@ again:
}
DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n");
- memset(ctx->jump_whitelist, 0,
- BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32));
+ bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds);
return;
}

1
debian/patches/series vendored
View File

@ -296,6 +296,7 @@ bugfix/x86/i915/0009-drm-i915-cmdparser-Add-support-for-backward-jumps.patch
bugfix/x86/i915/0010-drm-i915-cmdparser-Ignore-Length-operands-during-com.patch
bugfix/x86/i915/0011-drm-i915-Lower-RM-timeout-to-avoid-DSI-hard-hangs.patch
bugfix/x86/i915/0012-drm-i915-gen8-Add-RC6-CTX-corruption-WA.patch
bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
# ABI maintenance
debian/abi/powerpc-avoid-abi-change-for-disabling-tm.patch