Merge branch 'f12/master' into f12/user/myoung/xendom0
Conflicts: kernel.spec
This commit is contained in:
Michael Young
commit
674c686dae
|
|
@ -0,0 +1,90 @@
|
|||
From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Date: Sun, 26 Sep 2010 20:50:05 +0100
|
||||
Subject: drm/i915: Sanity check pread/pwrite
|
||||
|
||||
From: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
|
||||
commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.
|
||||
|
||||
Move the access control up from the fast paths, which are no longer
|
||||
universally taken first, up into the caller. This then duplicates some
|
||||
sanity checking along the slow paths, but is much simpler.
|
||||
Tracked as CVE-2010-2962.
|
||||
|
||||
Reported-by: Kees Cook <kees@ubuntu.com>
|
||||
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
Backported-by: Chuck Ebbert <cebbert@redhat.com> 2.6.32
|
||||
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_gem.c | 28 ++++++++++++++++++++--------
|
||||
1 file changed, 20 insertions(+), 8 deletions(-)
|
||||
|
||||
--- a/drivers/gpu/drm/i915/i915_gem.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_gem.c
|
||||
@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device *
|
||||
*/
|
||||
if (args->offset > obj->size || args->size > obj->size ||
|
||||
args->offset + args->size > obj->size) {
|
||||
- drm_gem_object_unreference(obj);
|
||||
- return -EINVAL;
|
||||
+ ret = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!access_ok(VERIFY_WRITE,
|
||||
+ (char __user *)(uintptr_t)args->data_ptr,
|
||||
+ args->size)) {
|
||||
+ ret = -EFAULT;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
if (i915_gem_object_needs_bit17_swizzle(obj)) {
|
||||
@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device *
|
||||
file_priv);
|
||||
}
|
||||
|
||||
+err:
|
||||
drm_gem_object_unreference(obj);
|
||||
-
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
|
||||
|
||||
user_data = (char __user *) (uintptr_t) args->data_ptr;
|
||||
remain = args->size;
|
||||
- if (!access_ok(VERIFY_READ, user_data, remain))
|
||||
- return -EFAULT;
|
||||
|
||||
|
||||
mutex_lock(&dev->struct_mutex);
|
||||
@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device
|
||||
*/
|
||||
if (args->offset > obj->size || args->size > obj->size ||
|
||||
args->offset + args->size > obj->size) {
|
||||
- drm_gem_object_unreference(obj);
|
||||
- return -EINVAL;
|
||||
+ ret = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!access_ok(VERIFY_READ,
|
||||
+ (char __user *)(uintptr_t)args->data_ptr,
|
||||
+ args->size)) {
|
||||
+ ret = -EFAULT;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/* We can only do the GTT pwrite on untiled buffers, as otherwise
|
||||
@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device
|
||||
DRM_INFO("pwrite failed %d\n", ret);
|
||||
#endif
|
||||
|
||||
+err:
|
||||
drm_gem_object_unreference(obj);
|
||||
-
|
||||
return ret;
|
||||
}
|
||||
|
||||
48
kernel.spec
48
kernel.spec
|
|
@ -48,7 +48,7 @@ Summary: The Linux kernel
|
|||
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
|
||||
# scripts/rebase.sh should be made to do that for you, actually.
|
||||
#
|
||||
%global baserelease 170.1
|
||||
%global baserelease 171
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -60,9 +60,9 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 23
|
||||
%define stable_update 25
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
%define stable_rc 1
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev .%{stable_update}
|
||||
|
|
@ -730,14 +730,16 @@ Patch1824: drm-intel-next.patch
|
|||
Patch1825: drm-intel-acpi-populate-didl.patch
|
||||
Patch1826: drm-intel-make-lvds-work.patch
|
||||
#Patch1827: linux-2.6-intel-agp-clear-gtt.patch
|
||||
Patch1828: drm-nouveau-g80-ctxprog.patch
|
||||
Patch1831: drm-nouveau-tvout-disable.patch
|
||||
Patch1832: drm-nouveau-safetile-getparam.patch
|
||||
Patch1844: drm-nouveau-kconfig.patch
|
||||
Patch1845: drm-nouveau-mutex.patch
|
||||
Patch1846: drm-nouveau-update.patch
|
||||
Patch1847: drm-nouveau-d620.patch
|
||||
Patch1848: drm-nouveau-nva3-noaccel.patch
|
||||
Patch1828: drm-i915-sanity-check-pread-pwrite.patch
|
||||
|
||||
Patch1850: drm-nouveau-g80-ctxprog.patch
|
||||
Patch1851: drm-nouveau-tvout-disable.patch
|
||||
Patch1852: drm-nouveau-safetile-getparam.patch
|
||||
Patch1853: drm-nouveau-kconfig.patch
|
||||
Patch1854: drm-nouveau-mutex.patch
|
||||
Patch1855: drm-nouveau-update.patch
|
||||
Patch1856: drm-nouveau-d620.patch
|
||||
Patch1857: drm-nouveau-nva3-noaccel.patch
|
||||
|
||||
# kludge to make ich9 e1000 work
|
||||
Patch2000: linux-2.6-e1000-ich9.patch
|
||||
|
|
@ -1471,6 +1473,8 @@ ApplyPatch drm-intel-acpi-populate-didl.patch
|
|||
ApplyPatch drm-intel-make-lvds-work.patch
|
||||
# gm45 stability fixes
|
||||
ApplyPatch drm-intel-945gm-stability-fixes.patch
|
||||
# CVE-2010-2962
|
||||
ApplyPatch drm-i915-sanity-check-pread-pwrite.patch
|
||||
|
||||
ApplyPatch drm-nouveau-g80-ctxprog.patch
|
||||
ApplyPatch drm-nouveau-tvout-disable.patch
|
||||
|
|
@ -1553,15 +1557,15 @@ ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch
|
|||
ApplyPatch net-do-not-check-capable-if-kernel.patch
|
||||
|
||||
# Mitigate DOS with large argument lists
|
||||
ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
||||
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
#ApplyPatch execve-improve-interactivity-with-large-arguments.patch
|
||||
#ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
#ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
|
||||
# rhbz#629158
|
||||
ApplyPatch r8169-fix-dma-allocations.patch
|
||||
#ApplyPatch r8169-fix-dma-allocations.patch
|
||||
|
||||
# rhbz#447489
|
||||
ApplyPatch skge-quirk-to-4gb-dma.patch
|
||||
#ApplyPatch skge-quirk-to-4gb-dma.patch
|
||||
|
||||
# rhbz#596475
|
||||
ApplyPatch add-support-for-ricoh-e822-sdhci.patch
|
||||
|
|
@ -2222,6 +2226,18 @@ fi
|
|||
%kernel_variant_files -k vmlinux %{with_kdump} kdump
|
||||
|
||||
%changelog
|
||||
* Fri Oct 22 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.25-171.rc1
|
||||
- Linux 2.6.32.25-rc1
|
||||
- Comment out patches merged upstream:
|
||||
execve-improve-interactivity-with-large-arguments.patch
|
||||
execve-make-responsive-to-sigkill-with-large-arguments.patch
|
||||
setup_arg_pages-diagnose-excessive-argument-size.patch
|
||||
xen-fix-typo-in-xen-irq-fix.patch
|
||||
r8169-fix-dma-allocations.patch
|
||||
skge-quirk-to-4gb-dma.patch
|
||||
- drm-i915-sanity-check-pread-pwrite.patch: backport fix for
|
||||
CVE-2010-2962
|
||||
|
||||
* Thu Oct 21 2010 Michael Young <m.a.young@durham.ac.uk>
|
||||
- update pvops including event channels fix
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue