CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)
This commit is contained in:
parent
c9c43cfcba
commit
dfee514436
|
@ -0,0 +1,51 @@
|
|||
From e896e9dde50fd9a44cbbed205cc0beb869e2193b Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 11 Mar 2013 17:31:45 -0700
|
||||
Subject: [PATCH] drm/i915: bounds check execbuffer relocation count
|
||||
|
||||
It is possible to wrap the counter used to allocate the buffer for
|
||||
relocation copies. This could lead to heap writing overflows.
|
||||
|
||||
CVE-2013-0913
|
||||
|
||||
v3: collapse test, improve comment
|
||||
v2: move check into validate_exec_list
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Pinkie Pie
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
index 26d08bb..7adf5a7 100644
|
||||
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
|
||||
@@ -706,15 +706,20 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
|
||||
int count)
|
||||
{
|
||||
int i;
|
||||
+ int relocs_total = 0;
|
||||
+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
|
||||
|
||||
for (i = 0; i < count; i++) {
|
||||
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
|
||||
int length; /* limited by fault_in_pages_readable() */
|
||||
|
||||
- /* First check for malicious input causing overflow */
|
||||
- if (exec[i].relocation_count >
|
||||
- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
|
||||
+ /* First check for malicious input causing overflow in
|
||||
+ * the worst case where we need to allocate the entire
|
||||
+ * relocation tree as a single array.
|
||||
+ */
|
||||
+ if (exec[i].relocation_count > relocs_max - relocs_total)
|
||||
return -EINVAL;
|
||||
+ relocs_total += exec[i].relocation_count;
|
||||
|
||||
length = exec[i].relocation_count *
|
||||
sizeof(struct drm_i915_gem_relocation_entry);
|
||||
--
|
||||
1.8.1.2
|
||||
|
|
@ -797,6 +797,9 @@ Patch24107: uvcvideo-suspend-fix.patch
|
|||
#CVE-2013-0914 rhbz 920499 920510
|
||||
Patch24108: signal-always-clear-sa_restorer-on-execve.patch
|
||||
|
||||
#CVE-2013-0913 rhbz 920471 920529
|
||||
Patch24109: drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
# AMD64 EDAC reports a wrong dimm count with new API. Fix it
|
||||
Patch25000: amd64_edac_fix_rank_count.patch
|
||||
|
||||
|
@ -1548,6 +1551,9 @@ ApplyPatch uvcvideo-suspend-fix.patch
|
|||
#CVE-2013-0914 rhbz 920499 920510
|
||||
ApplyPatch signal-always-clear-sa_restorer-on-execve.patch
|
||||
|
||||
#CVE-2013-0913 rhbz 920471 920529
|
||||
ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2407,6 +2413,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Tue Mar 12 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)
|
||||
- CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510)
|
||||
|
||||
* Mon Mar 11 2013 Mauro Carvalho Chehab <mchehab@redhat.com> - 3.8.2-209
|
||||
|
|
Loading…
Reference in New Issue