[kernel] r9284 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Aug 7 22:06:33 UTC 2007
Author: dannf
Date: Tue Aug 7 22:06:33 2007
New Revision: 9284
Log:
[SECURITY] Fix remotely triggerable NULL pointer dereference
* bugfix/i965-secure-batchbuffer.patch
[SECURITY] Fix i965 secured batchbuffer usage
See CVE-2007-3851
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/i965-secure-batchbuffer.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Aug 7 22:06:33 2007
@@ -27,10 +27,13 @@
extraction that resulted in slightly less random numbers.
See CVE-2007-2453
* bugfix/nf_conntrack_sctp-null-deref.patch
- [SECURITY] Fix remotely triggerable NULL pointer dereference
+ [SECURITY] Fix remotely triggerable NULL pointer dereference
by sending an unknown chunk type.
+ * bugfix/i965-secure-batchbuffer.patch
+ [SECURITY] Fix i965 secured batchbuffer usage
+ See CVE-2007-3851
- -- dann frazier <dannf at debian.org> Sun, 15 Jul 2007 14:01:50 -0600
+ -- dann frazier <dannf at debian.org> Tue, 7 Aug 2007 16:04:41 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/i965-secure-batchbuffer.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/i965-secure-batchbuffer.patch Tue Aug 7 22:06:33 2007
@@ -0,0 +1,67 @@
+From: Dave Airlie <airlied at redhat.com>
+Date: Mon, 6 Aug 2007 23:09:51 +0000 (+1000)
+Subject: drm/i915: Fix i965 secured batchbuffer usage
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=21f16289270447673a7263ccc0b22d562fb01ecb
+
+drm/i915: Fix i965 secured batchbuffer usage
+
+This 965G and above chipsets moved the batch buffer non-secure bits to
+another place. This means that previous drm's allowed in-secure batchbuffers
+to be submitted to the hardware from non-privileged users who are logged
+into X and and have access to direct rendering.
+
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/drivers/char/drm/i915_dma.c b/drivers/char/drm/i915_dma.c
+index 3359cc2..8e7d713 100644
+--- a/drivers/char/drm/i915_dma.c
++++ b/drivers/char/drm/i915_dma.c
+@@ -184,6 +184,8 @@ static int i915_initialize(struct drm_device * dev,
+ * private backbuffer/depthbuffer usage.
+ */
+ dev_priv->use_mi_batchbuffer_start = 0;
++ if (IS_I965G(dev)) /* 965 doesn't support older method */
++ dev_priv->use_mi_batchbuffer_start = 1;
+
+ /* Allow hardware batchbuffers unless told otherwise.
+ */
+@@ -517,8 +519,13 @@ static int i915_dispatch_batchbuffer(struct drm_device * dev,
+
+ if (dev_priv->use_mi_batchbuffer_start) {
+ BEGIN_LP_RING(2);
+- OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
+- OUT_RING(batch->start | MI_BATCH_NON_SECURE);
++ if (IS_I965G(dev)) {
++ OUT_RING(MI_BATCH_BUFFER_START | (2 << 6) | MI_BATCH_NON_SECURE_I965);
++ OUT_RING(batch->start);
++ } else {
++ OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
++ OUT_RING(batch->start | MI_BATCH_NON_SECURE);
++ }
+ ADVANCE_LP_RING();
+ } else {
+ BEGIN_LP_RING(4);
+@@ -735,7 +742,8 @@ static int i915_setparam(DRM_IOCTL_ARGS)
+
+ switch (param.param) {
+ case I915_SETPARAM_USE_MI_BATCHBUFFER_START:
+- dev_priv->use_mi_batchbuffer_start = param.value;
++ if (!IS_I965G(dev))
++ dev_priv->use_mi_batchbuffer_start = param.value;
+ break;
+ case I915_SETPARAM_TEX_LRU_LOG_GRANULARITY:
+ dev_priv->tex_lru_log_granularity = param.value;
+diff --git a/drivers/char/drm/i915_drv.h b/drivers/char/drm/i915_drv.h
+index fd91856..737088b 100644
+--- a/drivers/char/drm/i915_drv.h
++++ b/drivers/char/drm/i915_drv.h
+@@ -282,6 +282,7 @@ extern int i915_wait_ring(struct drm_device * dev, int n, const char *caller);
+ #define MI_BATCH_BUFFER_START (0x31<<23)
+ #define MI_BATCH_BUFFER_END (0xA<<23)
+ #define MI_BATCH_NON_SECURE (1)
++#define MI_BATCH_NON_SECURE_I965 (1<<8)
+
+ #define MI_WAIT_FOR_EVENT ((0x3<<23))
+ #define MI_WAIT_FOR_PLANE_A_FLIP (1<<2)
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1 Tue Aug 7 22:06:33 2007
@@ -8,3 +8,4 @@
+ bugfix/random-fix-seeding-with-zero-entropy.patch
+ bugfix/random-fix-error-in-entropy-extraction.patch
+ bugfix/nf_conntrack_sctp-null-deref.patch
++ bugfix/i965-secure-batchbuffer.patch
More information about the Kernel-svn-changes
mailing list