[CVE-2017-7346][PATCH X/Y/Z/A] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
Po-Hsu Lin
po-hsu.lin at canonical.com
Wed Jun 14 09:09:35 UTC 2017
From: Vladis Dronov <vdronov at redhat.com>
CVE-2017-7346
The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
a user-controlled 'uint32_t' value which is used as a loop count limit.
This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1437431
Cc: <stable at vger.kernel.org>
Signed-off-by: Vladis Dronov <vdronov at redhat.com>
Reviewed-by: Sinclair Yeh <syeh at vmware.com>
(cherry picked from commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf)
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 05fa092..6fed5a8 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
if (req->multisample_count != 0)
return -EINVAL;
+ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
+ return -EINVAL;
+
if (unlikely(vmw_user_surface_size == 0))
vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
128;
--
1.7.9.5
More information about the kernel-team
mailing list