[kernel] r18957 - in dists/sid/linux-2.6/debian: . patches/bugfix/x86 patches/series

Ben Hutchings benh at alioth.debian.org
Fri Apr 27 04:13:33 UTC 2012 

Author: benh
Date: Fri Apr 27 04:13:31 2012
New Revision: 18957

Log:
[x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
   dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/base

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Fri Apr 27 03:36:24 2012	(r18956)
+++ dists/sid/linux-2.6/debian/changelog	Fri Apr 27 04:13:31 2012	(r18957)
@@ -24,6 +24,7 @@
     - Rate limit the state manager for lock reclaim warning messages
     - Ensure that the LOCK code sets exception->inode
     - Ensure that we check lock exclusive/shared type against open modes
+  * [x86] i915: Fix integer overflows in i915_gem_{do_execbuffer,execbuffer2}
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 16 Apr 2012 02:27:29 +0100
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch	Fri Apr 27 04:13:31 2012	(r18957)
@@ -0,0 +1,38 @@
+From: Xi Wang <xi.wang at gmail.com>
+Date: Mon, 23 Apr 2012 04:06:42 -0400
+Message-Id: <1335168402-25174-2-git-send-email-xi.wang at gmail.com>
+Subject: [PATCH v2 2/2] drm/i915: fix integer overflow in
+ i915_gem_do_execbuffer()
+
+On 32-bit systems, a large args->num_cliprects from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
+allocation for execbuffer object list").
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Cc: Chris Wilson <chris at chris-wilson.co.uk>
+Cc: stable at vger.kernel.org
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index 7c50e58..de43194 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1133,6 +1133,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 			return -EINVAL;
+ 		}
+ 
++		if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
++			DRM_DEBUG("execbuf with %u cliprects\n",
++				  args->num_cliprects);
++			return -EINVAL;
++		}
+ 		cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
+ 				    GFP_KERNEL);
+ 		if (cliprects == NULL) {
+-- 
+1.7.5.4
+

Added: dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch	Fri Apr 27 04:13:31 2012	(r18957)
@@ -0,0 +1,37 @@
+From: Xi Wang <xi.wang at gmail.com>
+Date: Mon, 23 Apr 2012 04:06:41 -0400
+Message-Id: <1335168402-25174-1-git-send-email-xi.wang at gmail.com>
+Subject: [PATCH v2 1/2] drm/i915: fix integer overflow in
+ i915_gem_execbuffer2()
+
+On 32-bit systems, a large args->buffer_count from userspace via ioctl
+may overflow the allocation size, leading to out-of-bounds access.
+
+This vulnerability was introduced in commit 8408c282 ("drm/i915:
+First try a normal large kmalloc for the temporary exec buffers").
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Cc: Chris Wilson <chris at chris-wilson.co.uk>
+Cc: stable at vger.kernel.org
+[bwh: Backported to 3.2: adjust context]
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index f51a696..7c50e58 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1404,7 +1404,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
+ 	struct drm_i915_gem_exec_object2 *exec2_list = NULL;
+ 	int ret;
+ 
+-	if (args->buffer_count < 1) {
++	if (args->buffer_count < 1 ||
++	    args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
+ 		DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
+ 		return -EINVAL;
+ 	}
+-- 
+1.7.5.4
+

Modified: dists/sid/linux-2.6/debian/patches/series/base
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/base	Fri Apr 27 03:36:24 2012	(r18956)
+++ dists/sid/linux-2.6/debian/patches/series/base	Fri Apr 27 04:13:31 2012	(r18957)
@@ -190,3 +190,5 @@
 + bugfix/all/NFSv4-Rate-limit-the-state-manager-for-lock-reclaim-.patch
 + bugfix/all/NFSv4-Ensure-that-the-LOCK-code-sets-exception-inode.patch
 + bugfix/all/NFSv4-Ensure-that-we-check-lock-exclusive-shared-typ.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
++ bugfix/x86/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch

More information about the Kernel-svn-changes mailing list