[x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}

svn path=/dists/sid/linux-2.6/; revision=18957

debian/changelog

@@ -24,6 +24,7 @@ linux-2.6 (3.2.16-1) UNRELEASED; urgency=low
     - Rate limit the state manager for lock reclaim warning messages
     - Ensure that the LOCK code sets exception->inode
     - Ensure that we check lock exclusive/shared type against open modes
+  * [x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 16 Apr 2012 02:27:29 +0100
 

debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch

@@ -0,0 +1,38 @@
+From: Xi Wang <xi.wang@gmail.com>
+Date: Mon, 23 Apr 2012 04:06:42 -0400
+Message-Id: <1335168402-25174-2-git-send-email-xi.wang@gmail.com>
+Subject: [PATCH v2 2/2] drm/i915: fix integer overflow in
+ i915_gem_do_execbuffer()
+
+On 32-bit systems, a large args->num_cliprects from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
+allocation for execbuffer object list").
+
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: stable@vger.kernel.org
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index 7c50e58..de43194 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 			return -EINVAL;
+ 		}
+ 
++		if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
++			DRM_DEBUG("execbuf with %u cliprects\n",
++				  args->num_cliprects);
++			return -EINVAL;
++		}
+ 		cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
+ 				    GFP_KERNEL);
+ 		if (cliprects == NULL) {
+-- 
+1.7.5.4
+

debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch

@@ -0,0 +1,37 @@
+From: Xi Wang <xi.wang@gmail.com>
+Date: Mon, 23 Apr 2012 04:06:41 -0400
+Message-Id: <1335168402-25174-1-git-send-email-xi.wang@gmail.com>
+Subject: [PATCH v2 1/2] drm/i915: fix integer overflow in
+ i915_gem_execbuffer2()
+
+On 32-bit systems, a large args->buffer_count from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 8408c282 ("drm/i915:
+First try a normal large kmalloc for the temporary exec buffers").
+
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: stable@vger.kernel.org
+[bwh: Backported to 3.2: adjust context]
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index f51a696..7c50e58 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
+ 	struct drm_i915_gem_exec_object2 *exec2_list = NULL;
+ 	int ret;
+ 
+-	if (args->buffer_count < 1) {
++	if (args->buffer_count < 1 ||
++	    args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
+ 		DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
+ 		return -EINVAL;
+ 	}
+-- 
+1.7.5.4
+

debian/patches/series/base

@@ -190,3 +190,5 @@
 + bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
 + bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch
 + bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch