[linux] 03/03: [armhf,arm64] Add security fixes for vc4 driver

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jan 26 21:27:32 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit e345ccbabe6b185e33b79149ebfc16bdd7349798
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Jan 26 21:26:41 2017 +0000

    [armhf,arm64] Add security fixes for vc4 driver
---
 debian/changelog                                   |  4 +++
 ...r-overflow-in-temporary-allocation-layout.patch | 36 ++++++++++++++++++++++
 ...urn-einval-on-the-overflow-checks-failing.patch | 27 ++++++++++++++++
 debian/patches/series                              |  2 ++
 4 files changed, 69 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e0d5c2b..ce75e19 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -459,6 +459,10 @@ linux (4.9.6-1) UNRELEASED; urgency=medium
   * fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
   * [rt] genpatch.py: Verify tag and tarball signatures
   * fbdev: color map copying bounds checking (CVE-2016-8405)
+  * [armhf,arm64] drm/vc4: Fix an integer overflow in temporary allocation
+    layout. (CVE-2017-5576)
+  * [armhf,arm64] drm/vc4: Return -EINVAL on the overflow checks failing.
+    (CVE-2017-5577)
 
   [ Roger Shimizu ]
   * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
diff --git a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch b/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
new file mode 100644
index 0000000..be77360
--- /dev/null
+++ b/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
@@ -0,0 +1,36 @@
+From: Eric Anholt <eric at anholt.net>
+Date: Wed, 18 Jan 2017 07:20:49 +1100
+Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
+Origin: https://lkml.org/lkml/2017/1/17/761
+
+We copy the unvalidated ioctl arguments from the user into kernel
+temporary memory to run the validation from, to avoid a race where the
+user updates the unvalidate contents in between validating them and
+copying them into the validated BO.
+
+However, in setting up the layout of the kernel side, we failed to
+check one of the additions (the roundup() for shader_rec_offset)
+against integer overflow, allowing a nearly MAX_UINT value of
+bin_cl_size to cause us to under-allocate the temporary space that we
+then copy_from_user into.
+
+Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
+Signed-off-by: Eric Anholt <eric at anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
+ 					  args->shader_rec_count);
+ 	struct vc4_bo *bo;
+ 
+-	if (uniforms_offset < shader_rec_offset ||
++	if (shader_rec_offset < args->bin_cl_size ||
++	    uniforms_offset < shader_rec_offset ||
+ 	    exec_size < uniforms_offset ||
+ 	    args->shader_rec_count >= (UINT_MAX /
+ 					  sizeof(struct vc4_shader_state)) ||
diff --git a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch b/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
new file mode 100644
index 0000000..95dc721
--- /dev/null
+++ b/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
@@ -0,0 +1,27 @@
+From: Eric Anholt <eric at anholt.net>
+Date: Wed, 18 Jan 2017 07:20:50 +1100
+Subject: drm/vc4: Return -EINVAL on the overflow checks failing.
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5577
+Origin: https://lkml.org/lkml/2017/1/17/759
+
+By failing to set the errno, we'd continue on to trying to set up the
+RCL, and then oops on trying to dereference the tile_bo that binning
+validation should have set up.
+
+Reported-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Eric Anholt <eric at anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, stru
+ 					  sizeof(struct vc4_shader_state)) ||
+ 	    temp_size < exec_size) {
+ 		DRM_ERROR("overflow in exec arguments\n");
++		ret = -EINVAL;
+ 		goto fail;
+ 	}
+ 
diff --git a/debian/patches/series b/debian/patches/series
index fd40d0c..dcbf05c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,6 +100,8 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/fbdev-color-map-coying-bounds-checking.patch
+bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
+bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list