[linux] 01/04: Restore vmwgfx security fixes

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Sep 18 00:30:40 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 9f37a00f771cfc18a0d869c02ff45237dc5afaee
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 31 21:58:33 2017 +0100

    Restore vmwgfx security fixes
    
    These were applied in 3.2.88-1 and then upstream in 3.2.89.  When
    rebasing onto 3.2.89 I dropped them here.  The next update to
    drm-3.4.patch (not yet released) reverted them completely.
    
    The proper thing to do with drm fixes is to update drm-3.4.patch and
    then re-apply the fixes on top of that.
---
 ...eger-overflow-in-vmw_surface_define_ioctl.patch | 36 ++++++++++++++++++++++
 ...r-dereference-in-vmw_surface_define_ioctl.patch | 33 ++++++++++++++++++++
 debian/patches/series                              |  2 ++
 3 files changed, 71 insertions(+)

diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
new file mode 100644
index 0000000..a710645
--- /dev/null
+++ b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
@@ -0,0 +1,36 @@
+From: Li Qiang <liq3ea at gmail.com>
+Date: Mon, 27 Mar 2017 20:10:53 -0700
+Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
+Origin: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
+
+In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
+'req->mip_levels' array. This array can be assigned any value from
+the user space. As both the 'num_sizes' and the array is uint32_t,
+it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
+used as the loop count. This can lead an oob write. Add the check of
+'req->mip_levels' to avoid this.
+
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
+Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
+@@ -1304,8 +1304,11 @@ int vmw_surface_define_ioctl(struct drm_
+ 			128;
+ 
+ 	num_sizes = 0;
+-	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
++	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
++		if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
++			return -EINVAL;
+ 		num_sizes += req->mip_levels[i];
++	}
+ 
+ 	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
+ 	    num_sizes == 0)
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
new file mode 100644
index 0000000..d7fbb06
--- /dev/null
+++ b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
@@ -0,0 +1,33 @@
+From: Murray McAllister <murray.mcallister at insomniasec.com>
+Date: Mon, 27 Mar 2017 11:12:53 +0200
+Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
+Origin: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
+
+Before memory allocations vmw_surface_define_ioctl() checks the
+upper-bounds of a user-supplied size, but does not check if the
+supplied size is 0.
+
+Add check to avoid NULL pointer dereferences.
+
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
+Reviewed-by: Sinclair Yeh <syeh at vmware.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
+@@ -1307,8 +1307,8 @@ int vmw_surface_define_ioctl(struct drm_
+ 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ 		num_sizes += req->mip_levels[i];
+ 
+-	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
+-	    DRM_VMW_MAX_MIP_LEVELS)
++	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
++	    num_sizes == 0)
+ 		return -EINVAL;
+ 
+ 	size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/series b/debian/patches/series
index dae94de..acd7a80 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1107,6 +1107,8 @@ bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
 bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
 bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
 bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
+bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
 bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
 features/all/net-add-kfree_skb_list.patch
 bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list