[linux] 04/05: [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294)

Wed Mar 29 21:52:37 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 8703214f249b0e243854f65f624ef3149115dad2
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Mar 29 22:42:53 2017 +0100

    [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294)
---
 debian/changelog                                   |  2 ++
 ...eger-overflow-in-vmw_surface_define_ioctl.patch | 33 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 36 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c81ad83..22c3cbe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -141,6 +141,8 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
   * scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
   * [x86] vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
     (CVE-2017-7261)
+  * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
+    (CVE-2017-7294)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 27 Mar 2017 21:54:36 +0100
 
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
new file mode 100644
index 0000000..8514670
--- /dev/null
+++ b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
@@ -0,0 +1,33 @@
+Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
+From: Li Qiang <liq3ea at gmail.com>
+Date: Tue, 28 Mar 2017 03:10:53 +0000
+Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
+
+In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
+'req->mip_levels' array. This array can be assigned any value from
+the user space. As both the 'num_sizes' and the array is uint32_t,
+it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
+used as the loop count. This can lead an oob write. Add the check of
+'req->mip_levels' to avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_
+ 			128;
+ 
+ 	num_sizes = 0;
+-	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
++	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
++		if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
++			return -EINVAL;
+ 		num_sizes += req->mip_levels[i];
++	}
+ 
+ 	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
+ 	    num_sizes == 0)
diff --git a/debian/patches/series b/debian/patches/series
index e68835b..deab170 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -123,6 +123,7 @@ bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.
 bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
 bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
 bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

