ACK: [CVE-2017-7294][Yakkety] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()

[Colin Ian King]

On 15/05/17 12:39, Po-Hsu Lin wrote:
> From: Li Qiang <liq3ea at gmail.com>
> 
> In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
> 'req->mip_levels' array. This array can be assigned any value from
> the user space. As both the 'num_sizes' and the array is uint32_t,
> it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
> used as the loop count. This can lead an oob write. Add the check of
> 'req->mip_levels' to avoid this.
> 
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
> Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
> (cherry picked from commit e7e11f99564222d82f0ce84bd521e57d78a6678)
> CVE-2017-7294
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
>  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> index c2a721a..aa0108d 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
> @@ -715,8 +715,11 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
>  			128;
>  
>  	num_sizes = 0;
> -	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
> +	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
> +		if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
> +			return -EINVAL;
>  		num_sizes += req->mip_levels[i];
> +	}
>  
>  	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
>  	    DRM_VMW_MAX_MIP_LEVELS)
> 

Clean upstream cherry pick, looks good to me. For all three patches:

Acked-by: Colin Ian King <colin.king at canonical.com>