From f69fa2ae2c275cccd43a9935f9188d50b5c27cc0 Mon Sep 17 00:00:00 2001
From: Chuck Ebbert <cebbert@redhat.com>
Date: Sat, 23 Oct 2010 01:23:31 -0400
Subject: drm-i915-sanity-check-pread-pwrite.patch: backport fix for
 CVE-2010-2962

---
 drm-i915-sanity-check-pread-pwrite.patch | 90 ++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 drm-i915-sanity-check-pread-pwrite.patch

(limited to 'drm-i915-sanity-check-pread-pwrite.patch')

diff --git a/drm-i915-sanity-check-pread-pwrite.patch b/drm-i915-sanity-check-pread-pwrite.patch
new file mode 100644
index 0000000..ca6d2bc
--- /dev/null
+++ b/drm-i915-sanity-check-pread-pwrite.patch
@@ -0,0 +1,90 @@
+From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sun, 26 Sep 2010 20:50:05 +0100
+Subject: drm/i915: Sanity check pread/pwrite
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.
+
+Move the access control up from the fast paths, which are no longer
+universally taken first, up into the caller. This then duplicates some
+sanity checking along the slow paths, but is much simpler.
+Tracked as CVE-2010-2962.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Backported-by: Chuck Ebbert <cebbert@redhat.com> 2.6.32
+
+---
+ drivers/gpu/drm/i915/i915_gem.c |   28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device *
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_WRITE,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	if (i915_gem_object_needs_bit17_swizzle(obj)) {
+@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ 							file_priv);
+ 	}
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
+@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
+ 
+ 	user_data = (char __user *) (uintptr_t) args->data_ptr;
+ 	remain = args->size;
+-	if (!access_ok(VERIFY_READ, user_data, remain))
+-		return -EFAULT;
+ 
+ 
+ 	mutex_lock(&dev->struct_mutex);
+@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_READ,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	/* We can only do the GTT pwrite on untiled buffers, as otherwise
+@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 		DRM_INFO("pwrite failed %d\n", ret);
+ #endif
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
-- 
cgit