diff options
| author | Justin M. Forbes <jforbes@redhat.com> | 2017-03-27 16:23:42 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@redhat.com> | 2017-03-27 16:23:42 -0500 |
| commit | 3a0275274a2013593ff350e0f0fedd9424b258f0 (patch) | |
| tree | d3c8f85a7adc1b3c4f2f21cca437815071cc7e3e | |
| parent | 1fd003016506faf0b758d1a898b5da49cd084f4d (diff) | |
| download | kernel-3a0275274a2013593ff350e0f0fedd9424b258f0.tar.gz kernel-3a0275274a2013593ff350e0f0fedd9424b258f0.tar.xz kernel-3a0275274a2013593ff350e0f0fedd9424b258f0.zip | |
CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch | 33 |
2 files changed, 39 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 755894b1c..431d68b4d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -605,6 +605,9 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch # Fix virtio devices rhbz 1430297 Patch669: virtio_pci-fix-out-of-bound-access-for-msix_names.patch +#CVE-2017-7261 rhbz 1435719 1435740 +Patch670: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch + # END OF PATCH DEFINITIONS %endif @@ -2169,6 +2172,9 @@ fi # # %changelog +* Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740) + * Mon Mar 27 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.0-0.rc4.git0.1 - Linux v4.11-rc4 diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch new file mode 100644 index 000000000..1ede96c60 --- /dev/null +++ b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch @@ -0,0 +1,33 @@ +From: Vladis Dronov <vdronov@redhat.com> +Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() +Date: 2017-03-24 15:37:10 + +In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a +user-controlled value which is not checked for zero. It is used in +a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR +is dereferenced which leads to a GPF and possibly to a kernel panic. +Add the check for zero to avoid this. + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index b445ce9..42840cc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, + for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) + num_sizes += req->mip_levels[i]; + +- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * +- DRM_VMW_MAX_MIP_LEVELS) ++ if (num_sizes <= 0 || ++ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) + return -EINVAL; + + size = vmw_user_surface_size + 128 + +-- +2.9.3 |