drm-i915-sanity-check-pread-pwrite.patch: backport fix for CVE-2010-2962
This commit is contained in:
parent
1270a00f83
commit
f69fa2ae2c
|
@ -0,0 +1,90 @@
|
|||
From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Date: Sun, 26 Sep 2010 20:50:05 +0100
|
||||
Subject: drm/i915: Sanity check pread/pwrite
|
||||
|
||||
From: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
|
||||
commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.
|
||||
|
||||
Move the access control up from the fast paths, which are no longer
|
||||
universally taken first, up into the caller. This then duplicates some
|
||||
sanity checking along the slow paths, but is much simpler.
|
||||
Tracked as CVE-2010-2962.
|
||||
|
||||
Reported-by: Kees Cook <kees@ubuntu.com>
|
||||
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
Backported-by: Chuck Ebbert <cebbert@redhat.com> 2.6.32
|
||||
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_gem.c | 28 ++++++++++++++++++++--------
|
||||
1 file changed, 20 insertions(+), 8 deletions(-)
|
||||
|
||||
--- a/drivers/gpu/drm/i915/i915_gem.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_gem.c
|
||||
@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device *
|
||||
*/
|
||||
if (args->offset > obj->size || args->size > obj->size ||
|
||||
args->offset + args->size > obj->size) {
|
||||
- drm_gem_object_unreference(obj);
|
||||
- return -EINVAL;
|
||||
+ ret = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!access_ok(VERIFY_WRITE,
|
||||
+ (char __user *)(uintptr_t)args->data_ptr,
|
||||
+ args->size)) {
|
||||
+ ret = -EFAULT;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
if (i915_gem_object_needs_bit17_swizzle(obj)) {
|
||||
@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device *
|
||||
file_priv);
|
||||
}
|
||||
|
||||
+err:
|
||||
drm_gem_object_unreference(obj);
|
||||
-
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
|
||||
|
||||
user_data = (char __user *) (uintptr_t) args->data_ptr;
|
||||
remain = args->size;
|
||||
- if (!access_ok(VERIFY_READ, user_data, remain))
|
||||
- return -EFAULT;
|
||||
|
||||
|
||||
mutex_lock(&dev->struct_mutex);
|
||||
@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device
|
||||
*/
|
||||
if (args->offset > obj->size || args->size > obj->size ||
|
||||
args->offset + args->size > obj->size) {
|
||||
- drm_gem_object_unreference(obj);
|
||||
- return -EINVAL;
|
||||
+ ret = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!access_ok(VERIFY_READ,
|
||||
+ (char __user *)(uintptr_t)args->data_ptr,
|
||||
+ args->size)) {
|
||||
+ ret = -EFAULT;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/* We can only do the GTT pwrite on untiled buffers, as otherwise
|
||||
@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device
|
||||
DRM_INFO("pwrite failed %d\n", ret);
|
||||
#endif
|
||||
|
||||
+err:
|
||||
drm_gem_object_unreference(obj);
|
||||
-
|
||||
return ret;
|
||||
}
|
||||
|
22
kernel.spec
22
kernel.spec
|
@ -728,14 +728,16 @@ Patch1824: drm-intel-next.patch
|
|||
Patch1825: drm-intel-acpi-populate-didl.patch
|
||||
Patch1826: drm-intel-make-lvds-work.patch
|
||||
#Patch1827: linux-2.6-intel-agp-clear-gtt.patch
|
||||
Patch1828: drm-nouveau-g80-ctxprog.patch
|
||||
Patch1831: drm-nouveau-tvout-disable.patch
|
||||
Patch1832: drm-nouveau-safetile-getparam.patch
|
||||
Patch1844: drm-nouveau-kconfig.patch
|
||||
Patch1845: drm-nouveau-mutex.patch
|
||||
Patch1846: drm-nouveau-update.patch
|
||||
Patch1847: drm-nouveau-d620.patch
|
||||
Patch1848: drm-nouveau-nva3-noaccel.patch
|
||||
Patch1828: drm-i915-sanity-check-pread-pwrite.patch
|
||||
|
||||
Patch1850: drm-nouveau-g80-ctxprog.patch
|
||||
Patch1851: drm-nouveau-tvout-disable.patch
|
||||
Patch1852: drm-nouveau-safetile-getparam.patch
|
||||
Patch1853: drm-nouveau-kconfig.patch
|
||||
Patch1854: drm-nouveau-mutex.patch
|
||||
Patch1855: drm-nouveau-update.patch
|
||||
Patch1856: drm-nouveau-d620.patch
|
||||
Patch1857: drm-nouveau-nva3-noaccel.patch
|
||||
|
||||
# kludge to make ich9 e1000 work
|
||||
Patch2000: linux-2.6-e1000-ich9.patch
|
||||
|
@ -1467,6 +1469,8 @@ ApplyPatch drm-intel-acpi-populate-didl.patch
|
|||
ApplyPatch drm-intel-make-lvds-work.patch
|
||||
# gm45 stability fixes
|
||||
ApplyPatch drm-intel-945gm-stability-fixes.patch
|
||||
# CVE-2010-2962
|
||||
ApplyPatch drm-i915-sanity-check-pread-pwrite.patch
|
||||
|
||||
ApplyPatch drm-nouveau-g80-ctxprog.patch
|
||||
ApplyPatch drm-nouveau-tvout-disable.patch
|
||||
|
@ -2226,6 +2230,8 @@ fi
|
|||
xen-fix-typo-in-xen-irq-fix.patch
|
||||
r8169-fix-dma-allocations.patch
|
||||
skge-quirk-to-4gb-dma.patch
|
||||
- drm-i915-sanity-check-pread-pwrite.patch: backport fix for
|
||||
CVE-2010-2962
|
||||
|
||||
* Thu Oct 14 2010 Kyle McMartin <kyle@redhat.com>
|
||||
- rhbz447489: skge-quirk-to-4gb-dma.patch
|
||||
|
|
Loading…
Reference in New Issue