[x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)

svn path=/dists/sid/linux/; revision=19945
2013-03-25 13:13:14 +00:00 · 2013-03-25 13:13:14 +00:00 · 8274377d91
parent 15cc7e2b4a
commit 8274377d91
3 changed files with 51 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -4,6 +4,7 @@ linux (3.2.41-2) UNRELEASED; urgency=low
    efi-modules (fixes FTBFS)
  * linux-headers: Fix file installation on architectures without
    Kbuild.platforms (Closes: #703800)
+  * [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 23 Mar 2013 17:45:03 +0000

--- a/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
+++ b/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
@ -0,0 +1,49 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 11 Mar 2013 17:31:45 -0700
+Subject: drm/i915: bounds check execbuffer relocation count
+
+commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Pinkie Pie
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_e
+ 		   int count)
+ {
+ 	int i;
+	int relocs_total = 0;
+	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+ 
+ 	for (i = 0; i < count; i++) {
+ 		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ 		int length; /* limited by fault_in_pages_readable() */
+ 
+-		/* First check for malicious input causing overflow */
+-		if (exec[i].relocation_count >
+-		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
+		/* First check for malicious input causing overflow in
+		 * the worst case where we need to allocate the entire
+		 * relocation tree as a single array.
+		 */
+		if (exec[i].relocation_count > relocs_max - relocs_total)
+ 			return -EINVAL;
+		relocs_total += exec[i].relocation_count;
+ 
+ 		length = exec[i].relocation_count *
+ 			sizeof(struct drm_i915_gem_relocation_entry);
--- a/debian/patches/series
+++ b/debian/patches/series
@ -635,3 +635,4 @@ bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch
 bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
 bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch
 debian/efivars-remove-check-for-50-full-on-write.patch
+bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch