diff options
Diffstat (limited to 'drm-i915-bounds-check-execbuffer-relocation-count.patch')
| -rw-r--r-- | drm-i915-bounds-check-execbuffer-relocation-count.patch | 100 |
1 files changed, 0 insertions, 100 deletions
diff --git a/drm-i915-bounds-check-execbuffer-relocation-count.patch b/drm-i915-bounds-check-execbuffer-relocation-count.patch deleted file mode 100644 index 1377a5285..000000000 --- a/drm-i915-bounds-check-execbuffer-relocation-count.patch +++ /dev/null @@ -1,100 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.169.233 with SMTP id ah9csp107244oac; - Mon, 11 Mar 2013 17:32:43 -0700 (PDT) -X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048; - Mon, 11 Mar 2013 17:32:43 -0700 (PDT) -Return-Path: <linux-kernel-owner@vger.kernel.org> -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12; - Mon, 11 Mar 2013 17:32:43 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754633Ab3CLAbx (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others); - Mon, 11 Mar 2013 20:31:53 -0400 -Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754446Ab3CLAbx (ORCPT <rfc822;linux-kernel@vger.kernel.org>); - Mon, 11 Mar 2013 20:31:53 -0400 -Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) - by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342; - Mon, 11 Mar 2013 17:31:45 -0700 -Date: Mon, 11 Mar 2013 17:31:45 -0700 -From: Kees Cook <keescook@chromium.org> -To: linux-kernel@vger.kernel.org -Cc: Daniel Vetter <daniel.vetter@ffwll.ch>, - David Airlie <airlied@linux.ie>, - dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, - Julien Tinnes <jln@google.com>, marcheu@chromium.org -Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count -Message-ID: <20130312003145.GA28993@www.outflux.net> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -X-MIMEDefang-Filter: outflux$Revision: 1.316 $ -X-HELO: www.outflux.net -X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: <linux-kernel.vger.kernel.org> -X-Mailing-List: linux-kernel@vger.kernel.org - -It is possible to wrap the counter used to allocate the buffer for -relocation copies. This could lead to heap writing overflows. - -CVE-2013-0913 - -v3: collapse test, improve comment -v2: move check into validate_exec_list - -Signed-off-by: Kees Cook <keescook@chromium.org> -Reported-by: Pinkie Pie -Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index b3a40ee..094ba41 100644 ---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c -+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, - int count) - { - int i; -+ int relocs_total = 0; -+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); - - for (i = 0; i < count; i++) { - char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; -@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, - if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) - return -EINVAL; - -- /* First check for malicious input causing overflow */ -- if (exec[i].relocation_count > -- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) -+ /* First check for malicious input causing overflow in -+ * the worst case where we need to allocate the entire -+ * relocation tree as a single array. -+ */ -+ if (exec[i].relocation_count > relocs_max - relocs_total) - return -EINVAL; -+ relocs_total += exec[i].relocation_count; - - length = exec[i].relocation_count * - sizeof(struct drm_i915_gem_relocation_entry); --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ |