[linux] 03/07: [x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (CVE-2017-7261)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 19 17:58:40 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 3b351f955ee6fc5ef0f7ad4812a2add66bb8821d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Apr 19 18:39:00 2017 +0100
[x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (CVE-2017-7261)
---
debian/changelog | 2 ++
...r-dereference-in-vmw_surface_define_ioctl.patch | 34 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 37 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 969994f..f46586f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -598,6 +598,8 @@ linux (3.16.43-1) UNRELEASED; urgency=medium
* xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
(CVE-2017-7184)
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
+ * [x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
+ (CVE-2017-7261)
[ Salvatore Bonaccorso ]
* sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
new file mode 100644
index 0000000..eb4575b
--- /dev/null
+++ b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
@@ -0,0 +1,34 @@
+From: Murray McAllister <murray.mcallister at insomniasec.com>
+Date: Mon, 27 Mar 2017 11:12:53 +0200
+Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
+Origin: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
+
+Before memory allocations vmw_surface_define_ioctl() checks the
+upper-bounds of a user-supplied size, but does not check if the
+supplied size is 0.
+
+Add check to avoid NULL pointer dereferences.
+
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
+Reviewed-by: Sinclair Yeh <syeh at vmware.com>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+index b445ce9b9757..f410502cb075 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ num_sizes += req->mip_levels[i];
+
+- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
+- DRM_VMW_MAX_MIP_LEVELS)
++ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
++ num_sizes == 0)
+ return -EINVAL;
+
+ size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/series b/debian/patches/series
index 2a65175..914e3bb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -678,6 +678,7 @@ bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_allo
bugfix/all/ping-implement-proper-locking.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list