[x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)
svn path=/dists/sid/linux/; revision=19945
This commit is contained in:
parent
15cc7e2b4a
commit
8274377d91
|
@ -4,6 +4,7 @@ linux (3.2.41-2) UNRELEASED; urgency=low
|
||||||
efi-modules (fixes FTBFS)
|
efi-modules (fixes FTBFS)
|
||||||
* linux-headers: Fix file installation on architectures without
|
* linux-headers: Fix file installation on architectures without
|
||||||
Kbuild.platforms (Closes: #703800)
|
Kbuild.platforms (Closes: #703800)
|
||||||
|
* [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 23 Mar 2013 17:45:03 +0000
|
-- Ben Hutchings <ben@decadent.org.uk> Sat, 23 Mar 2013 17:45:03 +0000
|
||||||
|
|
||||||
|
|
49
debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
vendored
Normal file
49
debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
vendored
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Mon, 11 Mar 2013 17:31:45 -0700
|
||||||
|
Subject: drm/i915: bounds check execbuffer relocation count
|
||||||
|
|
||||||
|
commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
|
||||||
|
|
||||||
|
It is possible to wrap the counter used to allocate the buffer for
|
||||||
|
relocation copies. This could lead to heap writing overflows.
|
||||||
|
|
||||||
|
CVE-2013-0913
|
||||||
|
|
||||||
|
v3: collapse test, improve comment
|
||||||
|
v2: move check into validate_exec_list
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Reported-by: Pinkie Pie
|
||||||
|
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
|
||||||
|
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
---
|
||||||
|
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
|
||||||
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||||
|
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||||
|
@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_e
|
||||||
|
int count)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
+ int relocs_total = 0;
|
||||||
|
+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
|
||||||
|
|
||||||
|
for (i = 0; i < count; i++) {
|
||||||
|
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
|
||||||
|
int length; /* limited by fault_in_pages_readable() */
|
||||||
|
|
||||||
|
- /* First check for malicious input causing overflow */
|
||||||
|
- if (exec[i].relocation_count >
|
||||||
|
- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
|
||||||
|
+ /* First check for malicious input causing overflow in
|
||||||
|
+ * the worst case where we need to allocate the entire
|
||||||
|
+ * relocation tree as a single array.
|
||||||
|
+ */
|
||||||
|
+ if (exec[i].relocation_count > relocs_max - relocs_total)
|
||||||
|
return -EINVAL;
|
||||||
|
+ relocs_total += exec[i].relocation_count;
|
||||||
|
|
||||||
|
length = exec[i].relocation_count *
|
||||||
|
sizeof(struct drm_i915_gem_relocation_entry);
|
|
@ -635,3 +635,4 @@ bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch
|
||||||
bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
|
bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
|
||||||
bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch
|
bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch
|
||||||
debian/efivars-remove-check-for-50-full-on-write.patch
|
debian/efivars-remove-check-for-50-full-on-write.patch
|
||||||
|
bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||||
|
|
Loading…
Reference in New Issue