ACK: [CVE-2017-7261][PATCH T] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
Stefan Bader
stefan.bader at canonical.com
Fri Jul 21 08:19:38 UTC 2017
On 19.07.2017 09:45, Po-Hsu Lin wrote:
> From: Murray McAllister <murray.mcallister at insomniasec.com>
>
> CVE-2017-7261
>
> Before memory allocations vmw_surface_define_ioctl() checks the
> upper-bounds of a user-supplied size, but does not check if the
> supplied size is 0.
>
> Add check to avoid NULL pointer dereferences.
>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
> Reviewed-by: Sinclair Yeh <syeh at vmware.com>
> (cherry picked from commit 36274ab8c596f1240c606bb514da329add2a1bcd)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 9593df6..196833b 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -711,8 +711,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> num_sizes += req->mip_levels[i];
> }
>
> - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
> - DRM_VMW_MAX_MIP_LEVELS)
> + if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
> + num_sizes == 0)
> return -EINVAL;
>
> size = vmw_user_surface_size + 128 +
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170721/c63b51ed/attachment.sig>
More information about the kernel-team
mailing list