[kernel] r16433 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Oct 13 15:54:02 UTC 2010
Author: dannf
Date: Wed Oct 13 15:53:58 2010
New Revision: 16433
Log:
* drm/i915: Sanity check pread/pwrite (CVE-2010-2962)
* drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-sanity-check-pread+pwrite.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Wed Oct 13 13:54:14 2010 (r16432)
+++ dists/sid/linux-2.6/debian/changelog Wed Oct 13 15:53:58 2010 (r16433)
@@ -29,6 +29,10 @@
* xen: do not truncate machine address on gnttab_copy_grant_page hypercall
(Closes: #599089)
+ [ dann frazier ]
+ * drm/i915: Sanity check pread/pwrite (CVE-2010-2962)
+ * drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
+
-- Ben Hutchings <ben at decadent.org.uk> Thu, 30 Sep 2010 12:28:58 +0100
linux-2.6 (2.6.32-24) unstable; urgency=high
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch Wed Oct 13 15:53:58 2010 (r16433)
@@ -0,0 +1,45 @@
+[Backported to Debian's 2.6.32 by dann frazier <dannf at debian.org>
+
+commit 7dcd2499deab8f10011713c40bc2f309c9b65077
+Author: Chris Wilson <chris at chris-wilson.co.uk>
+Date: Sun Sep 26 20:21:44 2010 +0100
+
+ drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
+
+ ... and do the same for pread.
+
+ Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
+ Cc: stable at kernel.org
+
+--- linux-source-2.6.32.orig/drivers/gpu/drm/i915/i915_gem.c 2010-10-11 13:35:02.000000000 -0600
++++ linux-source-2.6.32/drivers/gpu/drm/i915/i915_gem.c 2010-10-12 23:08:06.000000000 -0600
+@@ -482,12 +482,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ return -EBADF;
+ obj_priv = obj->driver_private;
+
+- /* Bounds check source.
+- *
+- * XXX: This could use review for overflow issues...
+- */
+- if (args->offset > obj->size || args->size > obj->size ||
+- args->offset + args->size > obj->size) {
++ /* Bounds check source. */
++ if (args->offset > obj->size || args->size > obj->size - args->offset) {
+ ret = -EINVAL;
+ goto err;
+ }
+@@ -960,12 +956,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ return -EBADF;
+ obj_priv = obj->driver_private;
+
+- /* Bounds check destination.
+- *
+- * XXX: This could use review for overflow issues...
+- */
+- if (args->offset > obj->size || args->size > obj->size ||
+- args->offset + args->size > obj->size) {
++ /* Bounds check destination. */
++ if (args->offset > obj->size || args->size > obj->size - args->offset) {
+ ret = -EINVAL;
+ goto err;
+ }
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-sanity-check-pread+pwrite.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-sanity-check-pread+pwrite.patch Wed Oct 13 15:53:58 2010 (r16433)
@@ -0,0 +1,85 @@
+[Backported to Debian's 2.6.32 by dann frazier <dannf at debian.org>
+
+commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4
+Author: Chris Wilson <chris at chris-wilson.co.uk>
+Date: Sun Sep 26 20:50:05 2010 +0100
+
+ drm/i915: Sanity check pread/pwrite
+
+ Move the access control up from the fast paths, which are no longer
+ universally taken first, up into the caller. This then duplicates some
+ sanity checking along the slow paths, but is much simpler.
+ Tracked as CVE-2010-2962.
+
+ Reported-by: Kees Cook <kees at ubuntu.com>
+ Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
+ Cc: stable at kernel.org
+
+diff -urpN linux-source-2.6.32.orig/drivers/gpu/drm/i915/i915_gem.c linux-source-2.6.32/drivers/gpu/drm/i915/i915_gem.c
+--- linux-source-2.6.32.orig/drivers/gpu/drm/i915/i915_gem.c 2010-09-29 18:03:37.000000000 -0600
++++ linux-source-2.6.32/drivers/gpu/drm/i915/i915_gem.c 2010-10-11 13:35:02.000000000 -0600
+@@ -488,8 +488,15 @@ i915_gem_pread_ioctl(struct drm_device *
+ */
+ if (args->offset > obj->size || args->size > obj->size ||
+ args->offset + args->size > obj->size) {
+- drm_gem_object_unreference(obj);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err;
++ }
++
++ if (!access_ok(VERIFY_WRITE,
++ (char __user *)(uintptr_t)args->data_ptr,
++ args->size)) {
++ ret = -EFAULT;
++ goto err;
+ }
+
+ if (i915_gem_object_needs_bit17_swizzle(obj)) {
+@@ -501,8 +508,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ file_priv);
+ }
+
++err:
+ drm_gem_object_unreference(obj);
+-
+ return ret;
+ }
+
+@@ -592,8 +599,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
+
+ user_data = (char __user *) (uintptr_t) args->data_ptr;
+ remain = args->size;
+- if (!access_ok(VERIFY_READ, user_data, remain))
+- return -EFAULT;
+
+
+ mutex_lock(&dev->struct_mutex);
+@@ -961,8 +966,15 @@ i915_gem_pwrite_ioctl(struct drm_device
+ */
+ if (args->offset > obj->size || args->size > obj->size ||
+ args->offset + args->size > obj->size) {
+- drm_gem_object_unreference(obj);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err;
++ }
++
++ if (!access_ok(VERIFY_READ,
++ (char __user *)(uintptr_t)args->data_ptr,
++ args->size)) {
++ ret = -EFAULT;
++ goto err;
+ }
+
+ /* We can only do the GTT pwrite on untiled buffers, as otherwise
+@@ -995,8 +1007,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ DRM_INFO("pwrite failed %d\n", ret);
+ #endif
+
++err:
+ drm_gem_object_unreference(obj);
+-
+ return ret;
+ }
+
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Wed Oct 13 13:54:14 2010 (r16432)
+++ dists/sid/linux-2.6/debian/patches/series/25 Wed Oct 13 15:53:58 2010 (r16433)
@@ -16,3 +16,5 @@
+ bugfix/all/radeon-kms-release-AGP-bridge-at-suspend.patch
+ bugfix/all/radeon-kms-initialize-set_surface_reg-for-rs600.patch
+ features/x86/toshiba_acpi-Add-full-hotkey-support.patch
++ bugfix/all/drm-i915-sanity-check-pread+pwrite.patch
++ bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch
More information about the Kernel-svn-changes
mailing list