diff options
| author | Chuck Ebbert <cebbert@redhat.com> | 2010-10-23 01:23:31 -0400 |
|---|---|---|
| committer | Chuck Ebbert <cebbert@redhat.com> | 2010-10-23 01:23:31 -0400 |
| commit | f69fa2ae2c275cccd43a9935f9188d50b5c27cc0 (patch) | |
| tree | 1bbbd1d0d230daf9726630c5c5f1353af3afea43 /drm-i915-sanity-check-pread-pwrite.patch | |
| parent | 1270a00f83456397f1c9c3900e715654e51fd015 (diff) | |
| download | dom0-kernel-f69fa2ae2c275cccd43a9935f9188d50b5c27cc0.tar.gz dom0-kernel-f69fa2ae2c275cccd43a9935f9188d50b5c27cc0.tar.xz dom0-kernel-f69fa2ae2c275cccd43a9935f9188d50b5c27cc0.zip | |
drm-i915-sanity-check-pread-pwrite.patch: backport fix for CVE-2010-2962
Diffstat (limited to 'drm-i915-sanity-check-pread-pwrite.patch')
| -rw-r--r-- | drm-i915-sanity-check-pread-pwrite.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/drm-i915-sanity-check-pread-pwrite.patch b/drm-i915-sanity-check-pread-pwrite.patch new file mode 100644 index 0000000..ca6d2bc --- /dev/null +++ b/drm-i915-sanity-check-pread-pwrite.patch @@ -0,0 +1,90 @@ +From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Sun, 26 Sep 2010 20:50:05 +0100 +Subject: drm/i915: Sanity check pread/pwrite + +From: Chris Wilson <chris@chris-wilson.co.uk> + +commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream. + +Move the access control up from the fast paths, which are no longer +universally taken first, up into the caller. This then duplicates some +sanity checking along the slow paths, but is much simpler. +Tracked as CVE-2010-2962. + +Reported-by: Kees Cook <kees@ubuntu.com> +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Backported-by: Chuck Ebbert <cebbert@redhat.com> 2.6.32 + +--- + drivers/gpu/drm/i915/i915_gem.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device * + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_WRITE, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + if (i915_gem_object_needs_bit17_swizzle(obj)) { +@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device * + file_priv); + } + ++err: + drm_gem_object_unreference(obj); +- + return ret; + } + +@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi + + user_data = (char __user *) (uintptr_t) args->data_ptr; + remain = args->size; +- if (!access_ok(VERIFY_READ, user_data, remain)) +- return -EFAULT; + + + mutex_lock(&dev->struct_mutex); +@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_READ, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + /* We can only do the GTT pwrite on untiled buffers, as otherwise +@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device + DRM_INFO("pwrite failed %d\n", ret); + #endif + ++err: + drm_gem_object_unreference(obj); +- + return ret; + } + |