[x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)
svn path=/dists/sid/linux/; revision=19945
This commit is contained in:
parent
15cc7e2b4a
commit
8274377d91
|
@ -4,6 +4,7 @@ linux (3.2.41-2) UNRELEASED; urgency=low
|
|||
efi-modules (fixes FTBFS)
|
||||
* linux-headers: Fix file installation on architectures without
|
||||
Kbuild.platforms (Closes: #703800)
|
||||
* [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 23 Mar 2013 17:45:03 +0000
|
||||
|
||||
|
|
49
debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
vendored
Normal file
49
debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
vendored
Normal file
|
@ -0,0 +1,49 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 11 Mar 2013 17:31:45 -0700
|
||||
Subject: drm/i915: bounds check execbuffer relocation count
|
||||
|
||||
commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
|
||||
|
||||
It is possible to wrap the counter used to allocate the buffer for
|
||||
relocation copies. This could lead to heap writing overflows.
|
||||
|
||||
CVE-2013-0913
|
||||
|
||||
v3: collapse test, improve comment
|
||||
v2: move check into validate_exec_list
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Pinkie Pie
|
||||
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_e
|
||||
int count)
|
||||
{
|
||||
int i;
|
||||
+ int relocs_total = 0;
|
||||
+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
|
||||
|
||||
for (i = 0; i < count; i++) {
|
||||
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
|
||||
int length; /* limited by fault_in_pages_readable() */
|
||||
|
||||
- /* First check for malicious input causing overflow */
|
||||
- if (exec[i].relocation_count >
|
||||
- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
|
||||
+ /* First check for malicious input causing overflow in
|
||||
+ * the worst case where we need to allocate the entire
|
||||
+ * relocation tree as a single array.
|
||||
+ */
|
||||
+ if (exec[i].relocation_count > relocs_max - relocs_total)
|
||||
return -EINVAL;
|
||||
+ relocs_total += exec[i].relocation_count;
|
||||
|
||||
length = exec[i].relocation_count *
|
||||
sizeof(struct drm_i915_gem_relocation_entry);
|
|
@ -635,3 +635,4 @@ bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch
|
|||
bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
|
||||
bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch
|
||||
debian/efivars-remove-check-for-50-full-on-write.patch
|
||||
bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
|
Loading…
Reference in New Issue