diff --git a/debian/changelog b/debian/changelog index 21c508f0a..dc72468ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -43,6 +43,7 @@ linux (4.19.67-2+deb10u2) UNRELEASED; urgency=medium - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching + - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA diff --git a/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch b/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch new file mode 100644 index 000000000..210c58c19 --- /dev/null +++ b/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch @@ -0,0 +1,44 @@ +From: Ben Hutchings +Date: Sun, 10 Nov 2019 22:08:12 +0000 +Subject: drm/i915/cmdparser: Fix jump whitelist clearing +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155 + +When a jump_whitelist bitmap is reused, it needs to be cleared. +Currently this is done with memset() and the size calculation assumes +bitmaps are made of 32-bit words, not longs. So on 64-bit +architectures, only the first half of the bitmap is cleared. + +If some whitelist bits are carried over between successive batches +submitted on the same context, this will presumably allow embedding +the rogue instructions that we're trying to reject. + +Use bitmap_zero() instead, which gets the calculation right. + +Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps") +Cc: stable@vger.kernel.org +Signed-off-by: Ben Hutchings +--- + drivers/gpu/drm/i915/i915_cmd_parser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_cmd_parser.c ++++ b/drivers/gpu/drm/i915/i915_cmd_parser.c +@@ -1374,7 +1374,7 @@ static void init_whitelist(struct i915_g + return; + + if (batch_cmds <= ctx->jump_whitelist_cmds) { +- memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32)); ++ bitmap_zero(ctx->jump_whitelist, batch_cmds); + return; + } + +@@ -1394,8 +1394,7 @@ again: + } + + DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n"); +- memset(ctx->jump_whitelist, 0, +- BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32)); ++ bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds); + + return; + } diff --git a/debian/patches/series b/debian/patches/series index dcef9840b..9cf67909f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -296,6 +296,7 @@ bugfix/x86/i915/0009-drm-i915-cmdparser-Add-support-for-backward-jumps.patch bugfix/x86/i915/0010-drm-i915-cmdparser-Ignore-Length-operands-during-com.patch bugfix/x86/i915/0011-drm-i915-Lower-RM-timeout-to-avoid-DSI-hard-hangs.patch bugfix/x86/i915/0012-drm-i915-gen8-Add-RC6-CTX-corruption-WA.patch +bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch # ABI maintenance debian/abi/powerpc-avoid-abi-change-for-disabling-tm.patch