Linux v4.10-rc5-107-g883af14

drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch

@@ -0,0 +1,82 @@
+From: Eric Anholt <eric@anholt.net>
+To: dri-devel@lists.freedesktop.org
+Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
+ allocation layout.
+Date: Wed, 18 Jan 2017 07:20:49 +1100
+
+We copy the unvalidated ioctl arguments from the user into kernel
+temporary memory to run the validation from, to avoid a race where the
+user updates the unvalidate contents in between validating them and
+copying them into the validated BO.
+
+However, in setting up the layout of the kernel side, we failed to
+check one of the additions (the roundup() for shader_rec_offset)
+against integer overflow, allowing a nearly MAX_UINT value of
+bin_cl_size to cause us to under-allocate the temporary space that we
+then copy_from_user into.
+
+Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index db920771bfb5..c5fe3554858e 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
+ 					  args->shader_rec_count);
+ 	struct vc4_bo *bo;
+ 
+-	if (uniforms_offset < shader_rec_offset ||
++	if (shader_rec_offset < args->bin_cl_size ||
++	    uniforms_offset < shader_rec_offset ||
+ 	    exec_size < uniforms_offset ||
+ 	    args->shader_rec_count >= (UINT_MAX /
+ 					  sizeof(struct vc4_shader_state)) ||
+-- 
+2.11.0
+
+_______________________________________________
+dri-devel mailing list
+dri-devel@lists.freedesktop.org
+https://lists.freedesktop.org/mailman/listinfo/dri-devel
+
+From: Eric Anholt <eric@anholt.net>
+To: dri-devel@lists.freedesktop.org
+Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
+Date: Wed, 18 Jan 2017 07:20:50 +1100
+
+By failing to set the errno, we'd continue on to trying to set up the
+RCL, and then oops on trying to dereference the tile_bo that binning
+validation should have set up.
+
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index c5fe3554858e..ab3016982466 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
+ 					  sizeof(struct vc4_shader_state)) ||
+ 	    temp_size < exec_size) {
+ 		DRM_ERROR("overflow in exec arguments\n");
++		ret = -EINVAL;
+ 		goto fail;
+ 	}
+ 
+-- 
+2.11.0
+
+_______________________________________________
+dri-devel mailing list
+dri-devel@lists.freedesktop.org
+https://lists.freedesktop.org/mailman/listinfo/dri-devel
+

gitrev

@@ -1 +1 @@
-a4685d2f58e2230d4e27fb2ee581d7ea35e5d046
+883af14e67e8b8702b5560aa64c888c0cd0bd66c

kernel.spec

@@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 5
 # The git snapshot level
-%define gitrev 1
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -590,6 +590,9 @@ Patch851: Armada-trace-build-fix.patch
 # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
 Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 
+#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439
+Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2160,6 +2163,10 @@ fi
 #
 #
 %changelog
+* Wed Jan 25 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git2.1
+- Linux v4.10-rc5-107-g883af14
+- CVE-2017-5576 CVE-2017-5577 vc4 overflows (rhbz 1416436 1416437 1416439)
+
 * Tue Jan 24 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git1.1
 - Linux v4.10-rc5-71-ga4685d2
 

sources

@@ -1,4 +1,4 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
 SHA512 (patch-4.10-rc5.xz) = 5c51bce76af4e6f4637aaa059a9211c958d3d26332ef9efab421586069b1df5610b781908359da325dd114c9a6567f45be45a3c6bae6830586af69669d05910a
-SHA512 (patch-4.10-rc5-git1.xz) = 3a9c5193d80217069e3e1c61a110d0705f607442cfcfa801d1da61ce41b5a824ea7fd65c9273272f11469ef4caf8655f63139835fa1b7a0e89f7c2a82b379bc5
+SHA512 (patch-4.10-rc5-git2.xz) = ee952ac86845d1316e0be99b9b01b49f23fe938a643b8b5737c92436882f703282ef682de977957e7482e4eb3ce9ad543e9b528e9b4355a09a09b1c5d7d78e7b