diff options
| author | Justin M. Forbes <jforbes@redhat.com> | 2017-03-27 16:19:16 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@redhat.com> | 2017-03-27 16:19:16 -0500 |
| commit | 7474d05cae3e9de440e41073b8d6ce86862755ea (patch) | |
| tree | 5f696d5620cca6ba2c6b6994c9420b2657a103d2 | |
| parent | 11bc6120d268830dcb0c8ed25b4cbe79e3746f3a (diff) | |
| download | kernel-7474d05cae3e9de440e41073b8d6ce86862755ea.tar.gz kernel-7474d05cae3e9de440e41073b8d6ce86862755ea.tar.xz kernel-7474d05cae3e9de440e41073b8d6ce86862755ea.zip | |
CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch | 33 |
2 files changed, 39 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 13d2e50c7..0512a4d95 100644 --- a/kernel.spec +++ b/kernel.spec @@ -608,6 +608,9 @@ Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch #Fix crda rhbz 1422247 Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch +#CVE-2017-7261 rhbz 1435719 1435740 +Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch + # END OF PATCH DEFINITIONS %endif @@ -2177,6 +2180,9 @@ fi # # %changelog +* Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740) + * Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.6-200 - Linux v4.10.6 diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch new file mode 100644 index 000000000..1ede96c60 --- /dev/null +++ b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch @@ -0,0 +1,33 @@ +From: Vladis Dronov <vdronov@redhat.com> +Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() +Date: 2017-03-24 15:37:10 + +In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a +user-controlled value which is not checked for zero. It is used in +a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR +is dereferenced which leads to a GPF and possibly to a kernel panic. +Add the check for zero to avoid this. + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index b445ce9..42840cc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, + for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) + num_sizes += req->mip_levels[i]; + +- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * +- DRM_VMW_MAX_MIP_LEVELS) ++ if (num_sizes <= 0 || ++ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) + return -EINVAL; + + size = vmw_user_surface_size + 128 + +-- +2.9.3 |