[x86] drm/i915/cmdparser: Fix jump whitelist clearing
Fix a flaw I found in the mitigation for CVE-2019-0155.
This commit is contained in:
parent
feec1caa94
commit
6d8b0092bb
|
@ -43,6 +43,7 @@ linux (4.19.67-2+deb10u2) UNRELEASED; urgency=medium
|
|||
- drm/i915/cmdparser: Use explicit goto for error paths
|
||||
- drm/i915/cmdparser: Add support for backward jumps
|
||||
- drm/i915/cmdparser: Ignore Length operands during command matching
|
||||
- drm/i915/cmdparser: Fix jump whitelist clearing
|
||||
* [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
|
||||
- drm/i915: Lower RM timeout to avoid DSI hard hangs
|
||||
- drm/i915/gen8+: Add RC6 CTX corruption WA
|
||||
|
|
44
debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
vendored
Normal file
44
debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 10 Nov 2019 22:08:12 +0000
|
||||
Subject: drm/i915/cmdparser: Fix jump whitelist clearing
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155
|
||||
|
||||
When a jump_whitelist bitmap is reused, it needs to be cleared.
|
||||
Currently this is done with memset() and the size calculation assumes
|
||||
bitmaps are made of 32-bit words, not longs. So on 64-bit
|
||||
architectures, only the first half of the bitmap is cleared.
|
||||
|
||||
If some whitelist bits are carried over between successive batches
|
||||
submitted on the same context, this will presumably allow embedding
|
||||
the rogue instructions that we're trying to reject.
|
||||
|
||||
Use bitmap_zero() instead, which gets the calculation right.
|
||||
|
||||
Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_cmd_parser.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
|
||||
@@ -1374,7 +1374,7 @@ static void init_whitelist(struct i915_g
|
||||
return;
|
||||
|
||||
if (batch_cmds <= ctx->jump_whitelist_cmds) {
|
||||
- memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32));
|
||||
+ bitmap_zero(ctx->jump_whitelist, batch_cmds);
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1394,8 +1394,7 @@ again:
|
||||
}
|
||||
|
||||
DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n");
|
||||
- memset(ctx->jump_whitelist, 0,
|
||||
- BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32));
|
||||
+ bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds);
|
||||
|
||||
return;
|
||||
}
|
|
@ -296,6 +296,7 @@ bugfix/x86/i915/0009-drm-i915-cmdparser-Add-support-for-backward-jumps.patch
|
|||
bugfix/x86/i915/0010-drm-i915-cmdparser-Ignore-Length-operands-during-com.patch
|
||||
bugfix/x86/i915/0011-drm-i915-Lower-RM-timeout-to-avoid-DSI-hard-hangs.patch
|
||||
bugfix/x86/i915/0012-drm-i915-gen8-Add-RC6-CTX-corruption-WA.patch
|
||||
bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/abi/powerpc-avoid-abi-change-for-disabling-tm.patch
|
||||
|
|
Loading…
Reference in New Issue