CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)

2013-03-12 09:07:02 -04:00 · 2013-03-12 09:07:02 -04:00 · 63a70f0755
parent b9b2422ce0
commit 63a70f0755
2 changed files with 58 additions and 0 deletions
--- a/drm-i915-bounds-check-execbuffer-relocation-count.patch
+++ b/drm-i915-bounds-check-execbuffer-relocation-count.patch
@ -0,0 +1,51 @@
+From e896e9dde50fd9a44cbbed205cc0beb869e2193b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 11 Mar 2013 17:31:45 -0700
+Subject: [PATCH] drm/i915: bounds check execbuffer relocation count
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Pinkie Pie
+Cc: stable@vger.kernel.org
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index 26d08bb..7adf5a7 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -706,15 +706,20 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
+ 		   int count)
+ {
+ 	int i;
+	int relocs_total = 0;
+	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+ 
+ 	for (i = 0; i < count; i++) {
+ 		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ 		int length; /* limited by fault_in_pages_readable() */
+ 
+-		/* First check for malicious input causing overflow */
+-		if (exec[i].relocation_count >
+-		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
+		/* First check for malicious input causing overflow in
+		 * the worst case where we need to allocate the entire
+		 * relocation tree as a single array.
+		 */
+		if (exec[i].relocation_count > relocs_max - relocs_total)
+ 			return -EINVAL;
+		relocs_total += exec[i].relocation_count;
+ 
+ 		length = exec[i].relocation_count *
+ 			sizeof(struct drm_i915_gem_relocation_entry);
+-- 
+1.8.1.2
+
--- a/kernel.spec
+++ b/kernel.spec
@ -778,6 +778,9 @@ Patch24107: uvcvideo-suspend-fix.patch
 #CVE-2013-0914 rhbz 920499 920510
 Patch24108: signal-always-clear-sa_restorer-on-execve.patch

+#CVE-2013-0913 rhbz 920471 920529
+Patch24109: drm-i915-bounds-check-execbuffer-relocation-count.patch
+
 # AMD64 EDAC reports a wrong dimm count with new API. Fix it
 Patch25000: amd64_edac_fix_rank_count.patch

@ -1519,6 +1522,9 @@ ApplyPatch uvcvideo-suspend-fix.patch
 #CVE-2013-0914 rhbz 920499 920510
 ApplyPatch signal-always-clear-sa_restorer-on-execve.patch

+#CVE-2013-0913 rhbz 920471 920529
+ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
+

 # END OF PATCH APPLICATIONS

@ -2377,6 +2383,7 @@ fi
 #              '-'
 %changelog
 * Tue Mar 12 2013 Josh Boyer <jwboyer@redhat.com>
+- CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)
 - CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510)

 * Mon Mar 11 2013 Mauro Carvalho Chehab <mchehab@redhat.com>