Linux v4.9.7
This commit is contained in:
Laura Abbott
parent
26c466e1b9
commit
0116ad7a69
|
|
@ -1,82 +0,0 @@
|
|||
From: Eric Anholt <eric@anholt.net>
|
||||
To: dri-devel@lists.freedesktop.org
|
||||
Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
|
||||
allocation layout.
|
||||
Date: Wed, 18 Jan 2017 07:20:49 +1100
|
||||
|
||||
We copy the unvalidated ioctl arguments from the user into kernel
|
||||
temporary memory to run the validation from, to avoid a race where the
|
||||
user updates the unvalidate contents in between validating them and
|
||||
copying them into the validated BO.
|
||||
|
||||
However, in setting up the layout of the kernel side, we failed to
|
||||
check one of the additions (the roundup() for shader_rec_offset)
|
||||
against integer overflow, allowing a nearly MAX_UINT value of
|
||||
bin_cl_size to cause us to under-allocate the temporary space that we
|
||||
then copy_from_user into.
|
||||
|
||||
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||
---
|
||||
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
index db920771bfb5..c5fe3554858e 100644
|
||||
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
|
||||
args->shader_rec_count);
|
||||
struct vc4_bo *bo;
|
||||
|
||||
- if (uniforms_offset < shader_rec_offset ||
|
||||
+ if (shader_rec_offset < args->bin_cl_size ||
|
||||
+ uniforms_offset < shader_rec_offset ||
|
||||
exec_size < uniforms_offset ||
|
||||
args->shader_rec_count >= (UINT_MAX /
|
||||
sizeof(struct vc4_shader_state)) ||
|
||||
--
|
||||
2.11.0
|
||||
|
||||
_______________________________________________
|
||||
dri-devel mailing list
|
||||
dri-devel@lists.freedesktop.org
|
||||
https://lists.freedesktop.org/mailman/listinfo/dri-devel
|
||||
|
||||
From: Eric Anholt <eric@anholt.net>
|
||||
To: dri-devel@lists.freedesktop.org
|
||||
Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
|
||||
Date: Wed, 18 Jan 2017 07:20:50 +1100
|
||||
|
||||
By failing to set the errno, we'd continue on to trying to set up the
|
||||
RCL, and then oops on trying to dereference the tile_bo that binning
|
||||
validation should have set up.
|
||||
|
||||
Reported-by: Ingo Molnar <mingo@kernel.org>
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||
---
|
||||
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
index c5fe3554858e..ab3016982466 100644
|
||||
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||
@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
|
||||
sizeof(struct vc4_shader_state)) ||
|
||||
temp_size < exec_size) {
|
||||
DRM_ERROR("overflow in exec arguments\n");
|
||||
+ ret = -EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
||||
_______________________________________________
|
||||
dri-devel mailing list
|
||||
dri-devel@lists.freedesktop.org
|
||||
https://lists.freedesktop.org/mailman/listinfo/dri-devel
|
||||
|
||||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 6
|
||||
%define stable_update 7
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -633,9 +633,6 @@ Patch851: selinux-namespace-fix.patch
|
|||
#rhbz 1390308
|
||||
Patch852: nouveau-add-maxwell-to-backlight-init.patch
|
||||
|
||||
#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439
|
||||
Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
|
||||
|
||||
#The saddest EFI firmware bug
|
||||
Patch854: 0001-x86-efi-always-map-first-physical-page-into-EFI-page.patch
|
||||
|
||||
|
|
@ -2171,6 +2168,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Feb 02 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.7-100
|
||||
- Linux v4.9.7
|
||||
|
||||
* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix kvm nested virt CVE-2017-2596 (rhbz 1417812 1417813)
|
||||
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
|
||||
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
|
||||
SHA512 (patch-4.9.6.xz) = 230ab118639d19b7a473e75f5463ea9add3db8cb70fe3ba546e053fc1bd32b1d353eb1c107f5467e5f24a26c43c623cf79cf8d5a5cef85613e4da989a6c0326a
|
||||
SHA512 (patch-4.9.7.xz) = 48592d15efd6111eaacfa47a6def496bcc120f39bd93afccf4f23c7b93cc320638349890c67ba14792b5330a9a4c7e7fa74db6f84f4df92d20a2bf5a3eb3dcc6
|
||||
|
|
|
|||
Loading…
Reference in New Issue