Linux v4.10-rc5-107-g883af14

This commit is contained in:
Justin M. Forbes 2017-01-25 11:32:26 -06:00
parent 99ca20362c
commit 99ffffefcc
4 changed files with 92 additions and 3 deletions

View File

@ -0,0 +1,82 @@
From: Eric Anholt <eric@anholt.net>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
allocation layout.
Date: Wed, 18 Jan 2017 07:20:49 +1100
We copy the unvalidated ioctl arguments from the user into kernel
temporary memory to run the validation from, to avoid a race where the
user updates the unvalidate contents in between validating them and
copying them into the validated BO.
However, in setting up the layout of the kernel side, we failed to
check one of the additions (the roundup() for shader_rec_offset)
against integer overflow, allowing a nearly MAX_UINT value of
bin_cl_size to cause us to under-allocate the temporary space that we
then copy_from_user into.
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
---
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index db920771bfb5..c5fe3554858e 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
args->shader_rec_count);
struct vc4_bo *bo;
- if (uniforms_offset < shader_rec_offset ||
+ if (shader_rec_offset < args->bin_cl_size ||
+ uniforms_offset < shader_rec_offset ||
exec_size < uniforms_offset ||
args->shader_rec_count >= (UINT_MAX /
sizeof(struct vc4_shader_state)) ||
--
2.11.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
From: Eric Anholt <eric@anholt.net>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
Date: Wed, 18 Jan 2017 07:20:50 +1100
By failing to set the errno, we'd continue on to trying to set up the
RCL, and then oops on trying to dereference the tile_bo that binning
validation should have set up.
Reported-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
---
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index c5fe3554858e..ab3016982466 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
sizeof(struct vc4_shader_state)) ||
temp_size < exec_size) {
DRM_ERROR("overflow in exec arguments\n");
+ ret = -EINVAL;
goto fail;
}
--
2.11.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

2
gitrev
View File

@ -1 +1 @@
a4685d2f58e2230d4e27fb2ee581d7ea35e5d046
883af14e67e8b8702b5560aa64c888c0cd0bd66c

View File

@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 5
# The git snapshot level
%define gitrev 1
%define gitrev 2
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@ -590,6 +590,9 @@ Patch851: Armada-trace-build-fix.patch
# selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439
Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
# END OF PATCH DEFINITIONS
%endif
@ -2160,6 +2163,10 @@ fi
#
#
%changelog
* Wed Jan 25 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git2.1
- Linux v4.10-rc5-107-g883af14
- CVE-2017-5576 CVE-2017-5577 vc4 overflows (rhbz 1416436 1416437 1416439)
* Tue Jan 24 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git1.1
- Linux v4.10-rc5-71-ga4685d2

View File

@ -1,4 +1,4 @@
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
SHA512 (patch-4.10-rc5.xz) = 5c51bce76af4e6f4637aaa059a9211c958d3d26332ef9efab421586069b1df5610b781908359da325dd114c9a6567f45be45a3c6bae6830586af69669d05910a
SHA512 (patch-4.10-rc5-git1.xz) = 3a9c5193d80217069e3e1c61a110d0705f607442cfcfa801d1da61ce41b5a824ea7fd65c9273272f11469ef4caf8655f63139835fa1b7a0e89f7c2a82b379bc5
SHA512 (patch-4.10-rc5-git2.xz) = ee952ac86845d1316e0be99b9b01b49f23fe938a643b8b5737c92436882f703282ef682de977957e7482e4eb3ce9ad543e9b528e9b4355a09a09b1c5d7d78e7b