From de3e9af4dcee3ff2ec53e47856acd7322422a393 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 29 Mar 2017 22:36:05 +0100
Subject: [PATCH] [x86] vmwgfx: NULL pointer dereference in
 vmw_surface_define_ioctl() (CVE-2017-7261)

---
 debian/changelog                              |  2 ++
 ...eference-in-vmw_surface_define_ioctl.patch | 29 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 32 insertions(+)
 create mode 100644 debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch

diff --git a/debian/changelog b/debian/changelog
index 53fe8a6f0..c81ad831b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -139,6 +139,8 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
     (CVE-2017-7184)
   * xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
   * scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
+  * [x86] vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
+    (CVE-2017-7261)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 27 Mar 2017 21:54:36 +0100
 
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
new file mode 100644
index 000000000..b4dac5cc1
--- /dev/null
+++ b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
@@ -0,0 +1,29 @@
+From: Murray McAllister <murray.mcallister@insomniasec.com>
+Date: Fri, 24 Mar 2017 20:33:00 -0700
+Subject: vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
+Origin: https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
+
+Before memory allocations vmw_surface_define_ioctl() checks the
+upper-bounds of a user-supplied size, but does not check if the
+supplied size is 0.
+
+Add check to avoid NULL pointer dereferences.
+
+Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+[bwh: Fix filename]
+---
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_
+ 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ 		num_sizes += req->mip_levels[i];
+ 
+-	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
+-	    DRM_VMW_MAX_MIP_LEVELS)
++	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
++	    num_sizes == 0)
+ 		return -EINVAL;
+ 
+ 	size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/series b/debian/patches/series
index 764340fdb..e68835bca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -122,6 +122,7 @@ bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
 bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
 bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
 bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
+bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch