diff options
author | Michael Young <m.a.young@durham.ac.uk> | 2010-10-23 13:41:44 +0100 |
---|---|---|
committer | Michael Young <m.a.young@durham.ac.uk> | 2010-10-23 13:41:44 +0100 |
commit | 674c686daedf0934080c67664d9411082da3525a (patch) | |
tree | c01df15b2b2e00a6eb1b87fe32ae4c372e8eb197 | |
parent | a2e75552dbcdcb283115d8211e546f39e79c5a16 (diff) | |
parent | f69fa2ae2c275cccd43a9935f9188d50b5c27cc0 (diff) | |
download | dom0-kernel-674c686daedf0934080c67664d9411082da3525a.tar.gz dom0-kernel-674c686daedf0934080c67664d9411082da3525a.tar.xz dom0-kernel-674c686daedf0934080c67664d9411082da3525a.zip |
Merge branch 'f12/master' into f12/user/myoung/xendom0
Conflicts:
kernel.spec
-rw-r--r-- | drm-i915-sanity-check-pread-pwrite.patch | 90 | ||||
-rw-r--r-- | kernel.spec | 48 | ||||
-rw-r--r-- | sources | 3 |
3 files changed, 124 insertions, 17 deletions
diff --git a/drm-i915-sanity-check-pread-pwrite.patch b/drm-i915-sanity-check-pread-pwrite.patch new file mode 100644 index 0000000..ca6d2bc --- /dev/null +++ b/drm-i915-sanity-check-pread-pwrite.patch @@ -0,0 +1,90 @@ +From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Sun, 26 Sep 2010 20:50:05 +0100 +Subject: drm/i915: Sanity check pread/pwrite + +From: Chris Wilson <chris@chris-wilson.co.uk> + +commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream. + +Move the access control up from the fast paths, which are no longer +universally taken first, up into the caller. This then duplicates some +sanity checking along the slow paths, but is much simpler. +Tracked as CVE-2010-2962. + +Reported-by: Kees Cook <kees@ubuntu.com> +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Backported-by: Chuck Ebbert <cebbert@redhat.com> 2.6.32 + +--- + drivers/gpu/drm/i915/i915_gem.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device * + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_WRITE, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + if (i915_gem_object_needs_bit17_swizzle(obj)) { +@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device * + file_priv); + } + ++err: + drm_gem_object_unreference(obj); +- + return ret; + } + +@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi + + user_data = (char __user *) (uintptr_t) args->data_ptr; + remain = args->size; +- if (!access_ok(VERIFY_READ, user_data, remain)) +- return -EFAULT; + + + mutex_lock(&dev->struct_mutex); +@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_READ, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + /* We can only do the GTT pwrite on untiled buffers, as otherwise +@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device + DRM_INFO("pwrite failed %d\n", ret); + #endif + ++err: + drm_gem_object_unreference(obj); +- + return ret; + } + diff --git a/kernel.spec b/kernel.spec index 4474ffa..da552e6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -48,7 +48,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 170.1 +%global baserelease 171 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -60,9 +60,9 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 23 +%define stable_update 25 # Is it a -stable RC? -%define stable_rc 0 +%define stable_rc 1 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev .%{stable_update} @@ -730,14 +730,16 @@ Patch1824: drm-intel-next.patch Patch1825: drm-intel-acpi-populate-didl.patch Patch1826: drm-intel-make-lvds-work.patch #Patch1827: linux-2.6-intel-agp-clear-gtt.patch -Patch1828: drm-nouveau-g80-ctxprog.patch -Patch1831: drm-nouveau-tvout-disable.patch -Patch1832: drm-nouveau-safetile-getparam.patch -Patch1844: drm-nouveau-kconfig.patch -Patch1845: drm-nouveau-mutex.patch -Patch1846: drm-nouveau-update.patch -Patch1847: drm-nouveau-d620.patch -Patch1848: drm-nouveau-nva3-noaccel.patch +Patch1828: drm-i915-sanity-check-pread-pwrite.patch + +Patch1850: drm-nouveau-g80-ctxprog.patch +Patch1851: drm-nouveau-tvout-disable.patch +Patch1852: drm-nouveau-safetile-getparam.patch +Patch1853: drm-nouveau-kconfig.patch +Patch1854: drm-nouveau-mutex.patch +Patch1855: drm-nouveau-update.patch +Patch1856: drm-nouveau-d620.patch +Patch1857: drm-nouveau-nva3-noaccel.patch # kludge to make ich9 e1000 work Patch2000: linux-2.6-e1000-ich9.patch @@ -1471,6 +1473,8 @@ ApplyPatch drm-intel-acpi-populate-didl.patch ApplyPatch drm-intel-make-lvds-work.patch # gm45 stability fixes ApplyPatch drm-intel-945gm-stability-fixes.patch +# CVE-2010-2962 +ApplyPatch drm-i915-sanity-check-pread-pwrite.patch ApplyPatch drm-nouveau-g80-ctxprog.patch ApplyPatch drm-nouveau-tvout-disable.patch @@ -1553,15 +1557,15 @@ ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch ApplyPatch net-do-not-check-capable-if-kernel.patch # Mitigate DOS with large argument lists -ApplyPatch execve-improve-interactivity-with-large-arguments.patch -ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch -ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch +#ApplyPatch execve-improve-interactivity-with-large-arguments.patch +#ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch +#ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch # rhbz#629158 -ApplyPatch r8169-fix-dma-allocations.patch +#ApplyPatch r8169-fix-dma-allocations.patch # rhbz#447489 -ApplyPatch skge-quirk-to-4gb-dma.patch +#ApplyPatch skge-quirk-to-4gb-dma.patch # rhbz#596475 ApplyPatch add-support-for-ricoh-e822-sdhci.patch @@ -2222,6 +2226,18 @@ fi %kernel_variant_files -k vmlinux %{with_kdump} kdump %changelog +* Fri Oct 22 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.25-171.rc1 +- Linux 2.6.32.25-rc1 +- Comment out patches merged upstream: + execve-improve-interactivity-with-large-arguments.patch + execve-make-responsive-to-sigkill-with-large-arguments.patch + setup_arg_pages-diagnose-excessive-argument-size.patch + xen-fix-typo-in-xen-irq-fix.patch + r8169-fix-dma-allocations.patch + skge-quirk-to-4gb-dma.patch +- drm-i915-sanity-check-pread-pwrite.patch: backport fix for + CVE-2010-2962 + * Thu Oct 21 2010 Michael Young <m.a.young@durham.ac.uk> - update pvops including event channels fix @@ -1,2 +1,3 @@ 260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2 -6eac9aebbf9e74546b7c44c0fb9348a7 patch-2.6.32.23.bz2 +e3346e3b4b92f048b8ecded829f45cdf patch-2.6.32.24.bz2 +811287361e4449aaad026b1c2df79d63 patch-2.6.32.25-rc1.bz2 |