[x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294)
This commit is contained in:
parent
de3e9af4dc
commit
8703214f24
|
@ -141,6 +141,8 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
|
|||
* scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
|
||||
* [x86] vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
|
||||
(CVE-2017-7261)
|
||||
* [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
|
||||
(CVE-2017-7294)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 27 Mar 2017 21:54:36 +0100
|
||||
|
||||
|
|
33
debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
vendored
Normal file
33
debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
vendored
Normal file
|
@ -0,0 +1,33 @@
|
|||
Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Tue, 28 Mar 2017 03:10:53 +0000
|
||||
Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
|
||||
|
||||
In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
|
||||
'req->mip_levels' array. This array can be assigned any value from
|
||||
the user space. As both the 'num_sizes' and the array is uint32_t,
|
||||
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
|
||||
used as the loop count. This can lead an oob write. Add the check of
|
||||
'req->mip_levels' to avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
---
|
||||
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_
|
||||
128;
|
||||
|
||||
num_sizes = 0;
|
||||
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
|
||||
+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
|
||||
+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
|
||||
+ return -EINVAL;
|
||||
num_sizes += req->mip_levels[i];
|
||||
+ }
|
||||
|
||||
if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
|
||||
num_sizes == 0)
|
|
@ -123,6 +123,7 @@ bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.
|
|||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
|
||||
bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
|
||||
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
|
||||
bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue