37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
From: Eric Anholt <eric@anholt.net>
|
|
Date: Wed, 18 Jan 2017 07:20:49 +1100
|
|
Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
|
|
Origin: https://lkml.org/lkml/2017/1/17/761
|
|
|
|
We copy the unvalidated ioctl arguments from the user into kernel
|
|
temporary memory to run the validation from, to avoid a race where the
|
|
user updates the unvalidate contents in between validating them and
|
|
copying them into the validated BO.
|
|
|
|
However, in setting up the layout of the kernel side, we failed to
|
|
check one of the additions (the roundup() for shader_rec_offset)
|
|
against integer overflow, allowing a nearly MAX_UINT value of
|
|
bin_cl_size to cause us to under-allocate the temporary space that we
|
|
then copy_from_user into.
|
|
|
|
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
|
|
Signed-off-by: Eric Anholt <eric@anholt.net>
|
|
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
|
---
|
|
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
|
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
|
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
|
|
args->shader_rec_count);
|
|
struct vc4_bo *bo;
|
|
|
|
- if (uniforms_offset < shader_rec_offset ||
|
|
+ if (shader_rec_offset < args->bin_cl_size ||
|
|
+ uniforms_offset < shader_rec_offset ||
|
|
exec_size < uniforms_offset ||
|
|
args->shader_rec_count >= (UINT_MAX /
|
|
sizeof(struct vc4_shader_state)) ||
|