[linux] 02/06: [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Jul 26 21:37:26 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch stretch-security
in repository linux.

commit 81326d35c89f8b0fe1b64cde4a533cbda75ac080
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Jul 26 22:58:05 2017 +0200

    [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
---
 debian/changelog                                   |  1 +
 ...x-Make-sure-backup_handle-is-always-valid.patch | 60 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 62 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 16b5fe1..4bc6cbb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ linux (4.9.30-2+deb9u3) UNRELEASED; urgency=medium
   * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
     (CVE-2017-7541)
   * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+  * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Wed, 26 Jul 2017 22:08:32 +0200
 
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch b/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
new file mode 100644
index 0000000..3dafdac
--- /dev/null
+++ b/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
@@ -0,0 +1,60 @@
+From: Sinclair Yeh <syeh at vmware.com>
+Date: Fri, 2 Jun 2017 07:50:57 +0200
+Subject: drm/vmwgfx: Make sure backup_handle is always valid
+Origin: https://git.kernel.org/linus/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9605
+
+When vmw_gb_surface_define_ioctl() is called with an existing buffer,
+we end up returning an uninitialized variable in the backup_handle.
+
+The fix is to first initialize backup_handle to 0 just to be sure, and
+second, when a user-provided buffer is found, we will use the
+req->buffer_handle as the backup_handle.
+
+Cc: <stable at vger.kernel.org>
+Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
+Signed-off-by: Sinclair Yeh <syeh at vmware.com>
+Reviewed-by: Deepak Rawat <drawat at vmware.com>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+index baf03d4d86d2..834bb10973a2 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -1274,7 +1274,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
+ 	struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
+ 	int ret;
+ 	uint32_t size;
+-	uint32_t backup_handle;
++	uint32_t backup_handle = 0;
+ 
+ 	if (req->multisample_count != 0)
+ 		return -EINVAL;
+@@ -1317,12 +1317,16 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
+ 		ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
+ 					     &res->backup,
+ 					     &user_srf->backup_base);
+-		if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE <
+-		    res->backup_size) {
+-			DRM_ERROR("Surface backup buffer is too small.\n");
+-			vmw_dmabuf_unreference(&res->backup);
+-			ret = -EINVAL;
+-			goto out_unlock;
++		if (ret == 0) {
++			if (res->backup->base.num_pages * PAGE_SIZE <
++			    res->backup_size) {
++				DRM_ERROR("Surface backup buffer is too small.\n");
++				vmw_dmabuf_unreference(&res->backup);
++				ret = -EINVAL;
++				goto out_unlock;
++			} else {
++				backup_handle = req->buffer_handle;
++			}
+ 		}
+ 	} else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer)
+ 		ret = vmw_user_dmabuf_alloc(dev_priv, tfile,
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 7fd3893..ce438b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -126,6 +126,7 @@ bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
 bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
 bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
 bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list