[kernel] r16433 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Wed Oct 13 15:54:02 UTC 2010

Author: dannf
Date: Wed Oct 13 15:53:58 2010
New Revision: 16433

Log:
* drm/i915: Sanity check pread/pwrite (CVE-2010-2962)
* drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch
   dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-sanity-check-pread+pwrite.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Wed Oct 13 13:54:14 2010	(r16432)
+++ dists/sid/linux-2.6/debian/changelog	Wed Oct 13 15:53:58 2010	(r16433)
@@ -29,6 +29,10 @@
   * xen: do not truncate machine address on gnttab_copy_grant_page hypercall
     (Closes: #599089)
 
+  [ dann frazier ]
+  * drm/i915: Sanity check pread/pwrite (CVE-2010-2962)
+  * drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
+
  -- Ben Hutchings <ben at decadent.org.uk>  Thu, 30 Sep 2010 12:28:58 +0100
 
 linux-2.6 (2.6.32-24) unstable; urgency=high

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch	Wed Oct 13 15:53:58 2010	(r16433)
@@ -0,0 +1,45 @@
+[Backported to Debian's 2.6.32 by dann frazier <dannf at debian.org>
+
+commit 7dcd2499deab8f10011713c40bc2f309c9b65077
+Author: Chris Wilson <chris at chris-wilson.co.uk>
+Date:   Sun Sep 26 20:21:44 2010 +0100
+
+    drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
+    
+    ... and do the same for pread.
+    
+    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
+    Cc: stable at kernel.org
+
+--- linux-source-2.6.32.orig/drivers/gpu/drm/i915/i915_gem.c	2010-10-11 13:35:02.000000000 -0600
++++ linux-source-2.6.32/drivers/gpu/drm/i915/i915_gem.c	2010-10-12 23:08:06.000000000 -0600
+@@ -482,12 +482,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ 		return -EBADF;
+ 	obj_priv = obj->driver_private;
+ 
+-	/* Bounds check source.
+-	 *
+-	 * XXX: This could use review for overflow issues...
+-	 */
+-	if (args->offset > obj->size || args->size > obj->size ||
+-	    args->offset + args->size > obj->size) {
++	/* Bounds check source.  */
++	if (args->offset > obj->size || args->size > obj->size - args->offset) {
+ 		ret = -EINVAL;
+ 		goto err;
+ 	}
+@@ -960,12 +956,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 		return -EBADF;
+ 	obj_priv = obj->driver_private;
+ 
+-	/* Bounds check destination.
+-	 *
+-	 * XXX: This could use review for overflow issues...
+-	 */
+-	if (args->offset > obj->size || args->size > obj->size ||
+-	    args->offset + args->size > obj->size) {
++	/* Bounds check destination. */
++	if (args->offset > obj->size || args->size > obj->size - args->offset) {
+ 		ret = -EINVAL;
+ 		goto err;
+ 	}

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-sanity-check-pread+pwrite.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/drm-i915-sanity-check-pread+pwrite.patch	Wed Oct 13 15:53:58 2010	(r16433)
@@ -0,0 +1,85 @@
+[Backported to Debian's 2.6.32 by dann frazier <dannf at debian.org>
+
+commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4
+Author: Chris Wilson <chris at chris-wilson.co.uk>
+Date:   Sun Sep 26 20:50:05 2010 +0100
+
+    drm/i915: Sanity check pread/pwrite
+    
+    Move the access control up from the fast paths, which are no longer
+    universally taken first, up into the caller. This then duplicates some
+    sanity checking along the slow paths, but is much simpler.
+    Tracked as CVE-2010-2962.
+    
+    Reported-by: Kees Cook <kees at ubuntu.com>
+    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
+    Cc: stable at kernel.org
+
+diff -urpN linux-source-2.6.32.orig/drivers/gpu/drm/i915/i915_gem.c linux-source-2.6.32/drivers/gpu/drm/i915/i915_gem.c
+--- linux-source-2.6.32.orig/drivers/gpu/drm/i915/i915_gem.c	2010-09-29 18:03:37.000000000 -0600
++++ linux-source-2.6.32/drivers/gpu/drm/i915/i915_gem.c	2010-10-11 13:35:02.000000000 -0600
+@@ -488,8 +488,15 @@ i915_gem_pread_ioctl(struct drm_device *
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_WRITE,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	if (i915_gem_object_needs_bit17_swizzle(obj)) {
+@@ -501,8 +508,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ 							file_priv);
+ 	}
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
+@@ -592,8 +599,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
+ 
+ 	user_data = (char __user *) (uintptr_t) args->data_ptr;
+ 	remain = args->size;
+-	if (!access_ok(VERIFY_READ, user_data, remain))
+-		return -EFAULT;
+ 
+ 
+ 	mutex_lock(&dev->struct_mutex);
+@@ -961,8 +966,15 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_READ,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	/* We can only do the GTT pwrite on untiled buffers, as otherwise
+@@ -995,8 +1007,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 		DRM_INFO("pwrite failed %d\n", ret);
+ #endif
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Wed Oct 13 13:54:14 2010	(r16432)
+++ dists/sid/linux-2.6/debian/patches/series/25	Wed Oct 13 15:53:58 2010	(r16433)
@@ -16,3 +16,5 @@
 + bugfix/all/radeon-kms-release-AGP-bridge-at-suspend.patch
 + bugfix/all/radeon-kms-initialize-set_surface_reg-for-rs600.patch
 + features/x86/toshiba_acpi-Add-full-hotkey-support.patch
++ bugfix/all/drm-i915-sanity-check-pread+pwrite.patch
++ bugfix/all/drm-i915-rephrase-pread+pwrite-bounds-checking-to-avoid-potential-overflow.patch

