Linux 3.9-rc4

  merged: drm-i915-bounds-check-execbuffer-relocation-count.patch

3 files changed, 8 insertions, 109 deletions

diff --git a/drm-i915-bounds-check-execbuffer-relocation-count.patch b/drm-i915-bounds-check-execbuffer-relocation-count.patch
deleted file mode 100644
index 1377a5285..000000000
--- a/drm-i915-bounds-check-execbuffer-relocation-count.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-                                                                                                                                                                                                                                                               
-Delivered-To: jwboyer@gmail.com
-Received: by 10.76.169.233 with SMTP id ah9csp107244oac;
-        Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
-X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048;
-        Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
-Return-Path: <linux-kernel-owner@vger.kernel.org>
-Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
-        by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12;
-        Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
-Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
-Authentication-Results: mx.google.com;
-       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-	id S1754633Ab3CLAbx (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
-	Mon, 11 Mar 2013 20:31:53 -0400
-Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net"
-	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
-	id S1754446Ab3CLAbx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
-	Mon, 11 Mar 2013 20:31:53 -0400
-Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
-	by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342;
-	Mon, 11 Mar 2013 17:31:45 -0700
-Date:	Mon, 11 Mar 2013 17:31:45 -0700
-From:	Kees Cook <keescook@chromium.org>
-To:	linux-kernel@vger.kernel.org
-Cc:	Daniel Vetter <daniel.vetter@ffwll.ch>,
-	David Airlie <airlied@linux.ie>,
-	dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org,
-	Julien Tinnes <jln@google.com>, marcheu@chromium.org
-Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count
-Message-ID: <20130312003145.GA28993@www.outflux.net>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=us-ascii
-Content-Disposition: inline
-X-MIMEDefang-Filter: outflux$Revision: 1.316 $
-X-HELO:	www.outflux.net
-X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
-Sender:	linux-kernel-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-kernel.vger.kernel.org>
-X-Mailing-List:	linux-kernel@vger.kernel.org
-
-It is possible to wrap the counter used to allocate the buffer for
-relocation copies. This could lead to heap writing overflows.
-
-CVE-2013-0913
-
-v3: collapse test, improve comment
-v2: move check into validate_exec_list
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Reported-by: Pinkie Pie
-Cc: stable@vger.kernel.org
----
- drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index b3a40ee..094ba41 100644
---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
- 		   int count)
- {
- 	int i;
-+	int relocs_total = 0;
-+	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
- 
- 	for (i = 0; i < count; i++) {
- 		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
-@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
- 		if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS)
- 			return -EINVAL;
- 
--		/* First check for malicious input causing overflow */
--		if (exec[i].relocation_count >
--		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
-+		/* First check for malicious input causing overflow in
-+		 * the worst case where we need to allocate the entire
-+		 * relocation tree as a single array.
-+		 */
-+		if (exec[i].relocation_count > relocs_max - relocs_total)
- 			return -EINVAL;
-+		relocs_total += exec[i].relocation_count;
- 
- 		length = exec[i].relocation_count *
- 			sizeof(struct drm_i915_gem_relocation_entry);
--- 
-1.7.9.5
-
-
--- 
-Kees Cook
-Chrome OS Security
---
-To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
-Please read the FAQ at  http://www.tux.org/lkml/
diff --git a/kernel.spec b/kernel.spec
index 840d492f3..8fdfebba3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 1
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -93,9 +93,9 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%define rcrev 3
+%define rcrev 4
 # The git snapshot level
-%define gitrev 1
+%define gitrev 0
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -734,9 +734,6 @@ Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
 #rhbz 914737
 Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
 
-#CVE-2013-0913 rhbz 920471 920529
-Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
-
 #rhbz 856863 892599
 Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch
 Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
@@ -1441,9 +1438,6 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
 #rhbz 914737
 ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
 
-#CVE-2013-0913 rhbz 920471 920529
-ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
-
 #rhbz 856863 892599
 ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch
 ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
@@ -2295,6 +2289,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Sun Mar 24 2013 Dave Jones <davej@redhat.com> -3.9.0-0.rc4.git0.1
+- Linux 3.9-rc4
+  merged: drm-i915-bounds-check-execbuffer-relocation-count.patch
+
 * Sun Mar 24 2013 Peter Robinson <pbrobinson@fedoraproject.org>
 - Update ARM config for OMAP/mvebu/lpae
 
diff --git a/sources b/sources
index 9a2b372a7..636355513 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
 1c738edfc54e7c65faeb90c436104e2f  linux-3.8.tar.xz
 f7e97476e1ba31c3bb666b442fcb75dd  patch-3.9-rc3.xz
 95c3a8605dc96802e2dfe86a2655840c  patch-3.9-rc3-git1.xz
+8106d3a1c94ea6eb726e62c167a794da  patch-3.9-rc4.xz