[kernel] r19945 - in dists/sid/linux/debian: . patches patches/bugfix/x86
Ben Hutchings
benh at alioth.debian.org
Mon Mar 25 13:13:14 UTC 2013
Author: benh
Date: Mon Mar 25 13:13:14 2013
New Revision: 19945
Log:
[x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)
Added:
dists/sid/linux/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Sun Mar 24 02:28:11 2013 (r19944)
+++ dists/sid/linux/debian/changelog Mon Mar 25 13:13:14 2013 (r19945)
@@ -4,6 +4,7 @@
efi-modules (fixes FTBFS)
* linux-headers: Fix file installation on architectures without
Kbuild.platforms (Closes: #703800)
+ * [x86] drm/i915: bounds check execbuffer relocation count (CVE-2013-0913)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 23 Mar 2013 17:45:03 +0000
Added: dists/sid/linux/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch Mon Mar 25 13:13:14 2013 (r19945)
@@ -0,0 +1,49 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Mon, 11 Mar 2013 17:31:45 -0700
+Subject: drm/i915: bounds check execbuffer relocation count
+
+commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Pinkie Pie
+Reviewed-by: Chris Wilson <chris at chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -907,15 +907,20 @@ validate_exec_list(struct drm_i915_gem_e
+ int count)
+ {
+ int i;
++ int relocs_total = 0;
++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+
+ for (i = 0; i < count; i++) {
+ char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ int length; /* limited by fault_in_pages_readable() */
+
+- /* First check for malicious input causing overflow */
+- if (exec[i].relocation_count >
+- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++ /* First check for malicious input causing overflow in
++ * the worst case where we need to allocate the entire
++ * relocation tree as a single array.
++ */
++ if (exec[i].relocation_count > relocs_max - relocs_total)
+ return -EINVAL;
++ relocs_total += exec[i].relocation_count;
+
+ length = exec[i].relocation_count *
+ sizeof(struct drm_i915_gem_relocation_entry);
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Sun Mar 24 02:28:11 2013 (r19944)
+++ dists/sid/linux/debian/patches/series Mon Mar 25 13:13:14 2013 (r19945)
@@ -635,3 +635,4 @@
bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
bugfix/all/efivars-pstore-do-not-check-size-when-erasing-variable.patch
debian/efivars-remove-check-for-50-full-on-write.patch
+bugfix/x86/drm-i915-bounds-check-execbuffer-relocation-count.patch
More information about the Kernel-svn-changes
mailing list