[linux] 07/11: [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 26 23:25:02 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit a87d0ab86c1b071fa88a9021dfeae9e52479eae7
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Apr 26 23:24:10 2017 +0100
[x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294)
---
debian/changelog | 2 ++
...eger-overflow-in-vmw_surface_define_ioctl.patch | 36 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 39 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 74bfd49..9f40281 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -183,6 +183,8 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
* [x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
(CVE-2017-7261)
+ * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
+ (CVE-2017-7294)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 13 Mar 2017 23:12:35 +0000
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
new file mode 100644
index 0000000..a710645
--- /dev/null
+++ b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
@@ -0,0 +1,36 @@
+From: Li Qiang <liq3ea at gmail.com>
+Date: Mon, 27 Mar 2017 20:10:53 -0700
+Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
+Origin: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
+
+In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
+'req->mip_levels' array. This array can be assigned any value from
+the user space. As both the 'num_sizes' and the array is uint32_t,
+it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
+used as the loop count. This can lead an oob write. Add the check of
+'req->mip_levels' to avoid this.
+
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
+@@ -1304,8 +1304,11 @@ int vmw_surface_define_ioctl(struct drm_
+ 128;
+
+ num_sizes = 0;
+- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
++ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
++ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
++ return -EINVAL;
+ num_sizes += req->mip_levels[i];
++ }
+
+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
+ num_sizes == 0)
diff --git a/debian/patches/series b/debian/patches/series
index f1448cd..e643977 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1115,6 +1115,7 @@ bugfix/all/ping-implement-proper-locking.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list