ACK: [CVE-2017-5576][Y][PATCH] drm/vc4: Fix an integer overflow in temporary allocation layout.
Stefan Bader
stefan.bader at canonical.com
Wed Jun 21 07:04:18 UTC 2017
On 06.06.2017 10:20, Po-Hsu Lin wrote:
> From: Eric Anholt <eric at anholt.net>
>
> We copy the unvalidated ioctl arguments from the user into kernel
> temporary memory to run the validation from, to avoid a race where the
> user updates the unvalidate contents in between validating them and
> copying them into the validated BO.
>
> However, in setting up the layout of the kernel side, we failed to
> check one of the additions (the roundup() for shader_rec_offset)
> against integer overflow, allowing a nearly MAX_UINT value of
> bin_cl_size to cause us to under-allocate the temporary space that we
> then copy_from_user into.
>
> Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
> Signed-off-by: Eric Anholt <eric at anholt.net>
> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
> (cherry picked from commit 0f2ff82e11c86c05d051cae32b58226392d33bbf)
>
> CVE-2017-5576
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
> index 2f732f9..3881317 100644
> --- a/drivers/gpu/drm/vc4/vc4_gem.c
> +++ b/drivers/gpu/drm/vc4/vc4_gem.c
> @@ -597,7 +597,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
> args->shader_rec_count);
> struct vc4_bo *bo;
>
> - if (uniforms_offset < shader_rec_offset ||
> + if (shader_rec_offset < args->bin_cl_size ||
> + uniforms_offset < shader_rec_offset ||
> exec_size < uniforms_offset ||
> args->shader_rec_count >= (UINT_MAX /
> sizeof(struct vc4_shader_state)) ||
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170621/d8deac2c/attachment.sig>
More information about the kernel-team
mailing list