ACK: [CVE-2017-7261][PATCH T] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
Colin Ian King
colin.king at canonical.com
Fri Jul 21 09:18:05 UTC 2017
On 19/07/17 08:45, Po-Hsu Lin wrote:
> From: Murray McAllister <murray.mcallister at insomniasec.com>
>
> CVE-2017-7261
>
> Before memory allocations vmw_surface_define_ioctl() checks the
> upper-bounds of a user-supplied size, but does not check if the
> supplied size is 0.
>
> Add check to avoid NULL pointer dereferences.
>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
> Reviewed-by: Sinclair Yeh <syeh at vmware.com>
> (cherry picked from commit 36274ab8c596f1240c606bb514da329add2a1bcd)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index 9593df6..196833b 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -711,8 +711,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
> num_sizes += req->mip_levels[i];
> }
>
> - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
> - DRM_VMW_MAX_MIP_LEVELS)
> + if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
> + num_sizes == 0)
> return -EINVAL;
>
> size = vmw_user_surface_size + 128 +
>
Clean cherry-pick.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list