CVE-2017-5576 CVE-2017-5577 vc4 overflows (rhbz 1416436 1416437 1416439)

drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch

@@ -0,0 +1,82 @@
+From: Eric Anholt <eric@anholt.net>
+To: dri-devel@lists.freedesktop.org
+Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
+ allocation layout.
+Date: Wed, 18 Jan 2017 07:20:49 +1100
+
+We copy the unvalidated ioctl arguments from the user into kernel
+temporary memory to run the validation from, to avoid a race where the
+user updates the unvalidate contents in between validating them and
+copying them into the validated BO.
+
+However, in setting up the layout of the kernel side, we failed to
+check one of the additions (the roundup() for shader_rec_offset)
+against integer overflow, allowing a nearly MAX_UINT value of
+bin_cl_size to cause us to under-allocate the temporary space that we
+then copy_from_user into.
+
+Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index db920771bfb5..c5fe3554858e 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
+ 					  args->shader_rec_count);
+ 	struct vc4_bo *bo;
+ 
+-	if (uniforms_offset < shader_rec_offset ||
++	if (shader_rec_offset < args->bin_cl_size ||
++	    uniforms_offset < shader_rec_offset ||
+ 	    exec_size < uniforms_offset ||
+ 	    args->shader_rec_count >= (UINT_MAX /
+ 					  sizeof(struct vc4_shader_state)) ||
+-- 
+2.11.0
+
+_______________________________________________
+dri-devel mailing list
+dri-devel@lists.freedesktop.org
+https://lists.freedesktop.org/mailman/listinfo/dri-devel
+
+From: Eric Anholt <eric@anholt.net>
+To: dri-devel@lists.freedesktop.org
+Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
+Date: Wed, 18 Jan 2017 07:20:50 +1100
+
+By failing to set the errno, we'd continue on to trying to set up the
+RCL, and then oops on trying to dereference the tile_bo that binning
+validation should have set up.
+
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index c5fe3554858e..ab3016982466 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
+ 					  sizeof(struct vc4_shader_state)) ||
+ 	    temp_size < exec_size) {
+ 		DRM_ERROR("overflow in exec arguments\n");
++		ret = -EINVAL;
+ 		goto fail;
+ 	}
+ 
+-- 
+2.11.0
+
+_______________________________________________
+dri-devel mailing list
+dri-devel@lists.freedesktop.org
+https://lists.freedesktop.org/mailman/listinfo/dri-devel
+

kernel.spec

@@ -629,6 +629,9 @@ Patch851: selinux-namespace-fix.patch
 #rhbz 1390308
 Patch852: nouveau-add-maxwell-to-backlight-init.patch
 
+#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439
+Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2176,6 +2179,9 @@ fi
 #
 #
 %changelog
+* Wed Jan 25 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-5576 CVE-2017-5577 vc4 overflows (rhbz 1416436 1416437 1416439)
+
 * Mon Jan 23 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - Enable CONFIG_IPV6_GRE (rhbz 1405398)