summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThorsten Leemhuis <fedora@leemhuis.info>2017-01-28 09:07:28 +0100
committerThorsten Leemhuis <fedora@leemhuis.info>2017-01-28 09:07:28 +0100
commit189120fada0c7e08ad7cb421bd00f5f1a29ebf8a (patch)
treef739da9ab56dd8ead8a9f47bd02debb05ec4fff4
parent858f59eb64bd80474a8ceff801c88bfa91a1b2eb (diff)
parent94ee8d4cda667392b4f3a72c2f199ef38cb298be (diff)
downloadkernel-189120fada0c7e08ad7cb421bd00f5f1a29ebf8a.tar.gz
kernel-189120fada0c7e08ad7cb421bd00f5f1a29ebf8a.tar.xz
kernel-189120fada0c7e08ad7cb421bd00f5f1a29ebf8a.zip
-rw-r--r--drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch82
-rw-r--r--gitrev2
-rw-r--r--kernel.spec8
-rw-r--r--sources2
4 files changed, 6 insertions, 88 deletions
diff --git a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
deleted file mode 100644
index 37f012073..000000000
--- a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From: Eric Anholt <eric@anholt.net>
-To: dri-devel@lists.freedesktop.org
-Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary
- allocation layout.
-Date: Wed, 18 Jan 2017 07:20:49 +1100
-
-We copy the unvalidated ioctl arguments from the user into kernel
-temporary memory to run the validation from, to avoid a race where the
-user updates the unvalidate contents in between validating them and
-copying them into the validated BO.
-
-However, in setting up the layout of the kernel side, we failed to
-check one of the additions (the roundup() for shader_rec_offset)
-against integer overflow, allowing a nearly MAX_UINT value of
-bin_cl_size to cause us to under-allocate the temporary space that we
-then copy_from_user into.
-
-Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
-Signed-off-by: Eric Anholt <eric@anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
-index db920771bfb5..c5fe3554858e 100644
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
- args->shader_rec_count);
- struct vc4_bo *bo;
-
-- if (uniforms_offset < shader_rec_offset ||
-+ if (shader_rec_offset < args->bin_cl_size ||
-+ uniforms_offset < shader_rec_offset ||
- exec_size < uniforms_offset ||
- args->shader_rec_count >= (UINT_MAX /
- sizeof(struct vc4_shader_state)) ||
---
-2.11.0
-
-_______________________________________________
-dri-devel mailing list
-dri-devel@lists.freedesktop.org
-https://lists.freedesktop.org/mailman/listinfo/dri-devel
-
-From: Eric Anholt <eric@anholt.net>
-To: dri-devel@lists.freedesktop.org
-Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing.
-Date: Wed, 18 Jan 2017 07:20:50 +1100
-
-By failing to set the errno, we'd continue on to trying to set up the
-RCL, and then oops on trying to dereference the tile_bo that binning
-validation should have set up.
-
-Reported-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Eric Anholt <eric@anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
-index c5fe3554858e..ab3016982466 100644
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
- sizeof(struct vc4_shader_state)) ||
- temp_size < exec_size) {
- DRM_ERROR("overflow in exec arguments\n");
-+ ret = -EINVAL;
- goto fail;
- }
-
---
-2.11.0
-
-_______________________________________________
-dri-devel mailing list
-dri-devel@lists.freedesktop.org
-https://lists.freedesktop.org/mailman/listinfo/dri-devel
-
diff --git a/gitrev b/gitrev
index ad19f21e6..cd859ca5b 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-ff9f8a7cf935468a94d9927c68b00daae701667e
+1b1bc42c1692e9b62756323c675a44cb1a1f9dbd
diff --git a/kernel.spec b/kernel.spec
index 525ff1207..c9965aac7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -77,7 +77,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 5
# The git snapshot level
-%define gitrev 3
+%define gitrev 4
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@@ -610,9 +610,6 @@ Patch851: Armada-trace-build-fix.patch
# selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
-#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439
-Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch
-
# END OF PATCH DEFINITIONS
%endif
@@ -2186,6 +2183,9 @@ fi
#
#
%changelog
+* Fri Jan 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git4.1
+- Linux v4.10-rc5-367-g1b1bc42
+
* Thu Jan 26 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc5.git3.1
- Linux v4.10-rc5-122-gff9f8a7
diff --git a/sources b/sources
index 9fe2523ce..b3f1f6c03 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
SHA512 (patch-4.10-rc5.xz) = 5c51bce76af4e6f4637aaa059a9211c958d3d26332ef9efab421586069b1df5610b781908359da325dd114c9a6567f45be45a3c6bae6830586af69669d05910a
-SHA512 (patch-4.10-rc5-git3.xz) = e4510851b1bc53e6e34226642386ed5fe2fbca1341a335bb80acbd8535410fb4a218616435e8a3578e4e3d3b4119d021d32643744c85c1287a4da2bab8af2123
+SHA512 (patch-4.10-rc5-git4.xz) = 7375743789e8fb13bacb256290bd3e7c38ff0ee02875705b67a16e32fc72b4cbb99014d6be48e082f4bf02bcbcc2aae27c7f6c8087f66b5732007aa559254d6f