[kernel] r18957 - in dists/sid/linux-2.6/debian: . patches/bugfix/x86 patches/series
Ben Hutchings
benh at alioth.debian.org
Fri Apr 27 04:13:33 UTC 2012
Author: benh
Date: Fri Apr 27 04:13:31 2012
New Revision: 18957
Log:
[x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}
Added:
dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/base
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Fri Apr 27 03:36:24 2012 (r18956)
+++ dists/sid/linux-2.6/debian/changelog Fri Apr 27 04:13:31 2012 (r18957)
@@ -24,6 +24,7 @@
- Rate limit the state manager for lock reclaim warning messages
- Ensure that the LOCK code sets exception->inode
- Ensure that we check lock exclusive/shared type against open modes
+ * [x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}
-- Ben Hutchings <ben at decadent.org.uk> Mon, 16 Apr 2012 02:27:29 +0100
Added: dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch Fri Apr 27 04:13:31 2012 (r18957)
@@ -0,0 +1,38 @@
+From: Xi Wang <xi.wang at gmail.com>
+Date: Mon, 23 Apr 2012 04:06:42 -0400
+Message-Id: <1335168402-25174-2-git-send-email-xi.wang at gmail.com>
+Subject: [PATCH v2 2/2] drm/i915: fix integer overflow in
+ i915_gem_do_execbuffer()
+
+On 32-bit systems, a large args->num_cliprects from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
+allocation for execbuffer object list").
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Cc: Chris Wilson <chris at chris-wilson.co.uk>
+Cc: stable at vger.kernel.org
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index 7c50e58..de43194 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ return -EINVAL;
+ }
+
++ if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
++ DRM_DEBUG("execbuf with %u cliprects\n",
++ args->num_cliprects);
++ return -EINVAL;
++ }
+ cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
+ GFP_KERNEL);
+ if (cliprects == NULL) {
+--
+1.7.5.4
+
Added: dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch Fri Apr 27 04:13:31 2012 (r18957)
@@ -0,0 +1,37 @@
+From: Xi Wang <xi.wang at gmail.com>
+Date: Mon, 23 Apr 2012 04:06:41 -0400
+Message-Id: <1335168402-25174-1-git-send-email-xi.wang at gmail.com>
+Subject: [PATCH v2 1/2] drm/i915: fix integer overflow in
+ i915_gem_execbuffer2()
+
+On 32-bit systems, a large args->buffer_count from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 8408c282 ("drm/i915:
+First try a normal large kmalloc for the temporary exec buffers").
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Cc: Chris Wilson <chris at chris-wilson.co.uk>
+Cc: stable at vger.kernel.org
+[bwh: Backported to 3.2: adjust context]
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index f51a696..7c50e58 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
+ struct drm_i915_gem_exec_object2 *exec2_list = NULL;
+ int ret;
+
+- if (args->buffer_count < 1) {
++ if (args->buffer_count < 1 ||
++ args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
+ DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
+ return -EINVAL;
+ }
+--
+1.7.5.4
+
Modified: dists/sid/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/base Fri Apr 27 03:36:24 2012 (r18956)
+++ dists/sid/linux-2.6/debian/patches/series/base Fri Apr 27 04:13:31 2012 (r18957)
@@ -190,3 +190,5 @@
+ bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
+ bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch
+ bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
More information about the Kernel-svn-changes
mailing list