[armhf,arm64] Add security fixes for vc4 driver
This commit is contained in:
parent
810b36a1d3
commit
e345ccbabe
|
@ -459,6 +459,10 @@ linux (4.9.6-1) UNRELEASED; urgency=medium
|
||||||
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
|
* fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
|
||||||
* [rt] genpatch.py: Verify tag and tarball signatures
|
* [rt] genpatch.py: Verify tag and tarball signatures
|
||||||
* fbdev: color map copying bounds checking (CVE-2016-8405)
|
* fbdev: color map copying bounds checking (CVE-2016-8405)
|
||||||
|
* [armhf,arm64] drm/vc4: Fix an integer overflow in temporary allocation
|
||||||
|
layout. (CVE-2017-5576)
|
||||||
|
* [armhf,arm64] drm/vc4: Return -EINVAL on the overflow checks failing.
|
||||||
|
(CVE-2017-5577)
|
||||||
|
|
||||||
[ Roger Shimizu ]
|
[ Roger Shimizu ]
|
||||||
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
||||||
|
|
36
debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
vendored
Normal file
36
debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
vendored
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
From: Eric Anholt <eric@anholt.net>
|
||||||
|
Date: Wed, 18 Jan 2017 07:20:49 +1100
|
||||||
|
Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
|
||||||
|
Origin: https://lkml.org/lkml/2017/1/17/761
|
||||||
|
|
||||||
|
We copy the unvalidated ioctl arguments from the user into kernel
|
||||||
|
temporary memory to run the validation from, to avoid a race where the
|
||||||
|
user updates the unvalidate contents in between validating them and
|
||||||
|
copying them into the validated BO.
|
||||||
|
|
||||||
|
However, in setting up the layout of the kernel side, we failed to
|
||||||
|
check one of the additions (the roundup() for shader_rec_offset)
|
||||||
|
against integer overflow, allowing a nearly MAX_UINT value of
|
||||||
|
bin_cl_size to cause us to under-allocate the temporary space that we
|
||||||
|
then copy_from_user into.
|
||||||
|
|
||||||
|
Reported-by: Murray McAllister <murray.mcallister@insomniasec.com>
|
||||||
|
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||||
|
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||||
|
---
|
||||||
|
drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
||||||
|
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||||
|
@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
|
||||||
|
args->shader_rec_count);
|
||||||
|
struct vc4_bo *bo;
|
||||||
|
|
||||||
|
- if (uniforms_offset < shader_rec_offset ||
|
||||||
|
+ if (shader_rec_offset < args->bin_cl_size ||
|
||||||
|
+ uniforms_offset < shader_rec_offset ||
|
||||||
|
exec_size < uniforms_offset ||
|
||||||
|
args->shader_rec_count >= (UINT_MAX /
|
||||||
|
sizeof(struct vc4_shader_state)) ||
|
27
debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
vendored
Normal file
27
debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
vendored
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
From: Eric Anholt <eric@anholt.net>
|
||||||
|
Date: Wed, 18 Jan 2017 07:20:50 +1100
|
||||||
|
Subject: drm/vc4: Return -EINVAL on the overflow checks failing.
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5577
|
||||||
|
Origin: https://lkml.org/lkml/2017/1/17/759
|
||||||
|
|
||||||
|
By failing to set the errno, we'd continue on to trying to set up the
|
||||||
|
RCL, and then oops on trying to dereference the tile_bo that binning
|
||||||
|
validation should have set up.
|
||||||
|
|
||||||
|
Reported-by: Ingo Molnar <mingo@kernel.org>
|
||||||
|
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||||
|
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||||
|
---
|
||||||
|
drivers/gpu/drm/vc4/vc4_gem.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
--- a/drivers/gpu/drm/vc4/vc4_gem.c
|
||||||
|
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
|
||||||
|
@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, stru
|
||||||
|
sizeof(struct vc4_shader_state)) ||
|
||||||
|
temp_size < exec_size) {
|
||||||
|
DRM_ERROR("overflow in exec arguments\n");
|
||||||
|
+ ret = -EINVAL;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
|
@ -100,6 +100,8 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/fbdev-color-map-coying-bounds-checking.patch
|
bugfix/all/fbdev-color-map-coying-bounds-checking.patch
|
||||||
|
bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
|
||||||
|
bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||||
|
|
Loading…
Reference in New Issue