[ 3.5.y.z extended stable ] Patch "drm/i915: bounds check execbuffer relocation count" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Mon Mar 25 18:02:12 UTC 2013 

This is a note to let you know that I have just added a patch titled

    drm/i915: bounds check execbuffer relocation count

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From d21971d6aa17f36a7060d5dc971f4b1ded8492e6 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Mon, 11 Mar 2013 17:31:45 -0700
Subject: [PATCH] drm/i915: bounds check execbuffer relocation count

commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.

It is possible to wrap the counter used to allocate the buffer for
relocation copies. This could lead to heap writing overflows.

CVE-2013-0913

v3: collapse test, improve comment
v2: move check into validate_exec_list

Signed-off-by: Kees Cook <keescook at chromium.org>
Reported-by: Pinkie Pie
Reviewed-by: Chris Wilson <chris at chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
[ luis: adjust context ]
Luis Henriques <luis.henriques at canonical.com>
---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index fadd6d6..0f27a1f 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -941,15 +941,20 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
 		   int count)
 {
 	int i;
+	int relocs_total = 0;
+	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);

 	for (i = 0; i < count; i++) {
 		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
 		int length; /* limited by fault_in_pages_readable() */

-		/* First check for malicious input causing overflow */
-		if (exec[i].relocation_count >
-		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
+		/* First check for malicious input causing overflow in
+		 * the worst case where we need to allocate the entire
+		 * relocation tree as a single array.
+		 */
+		if (exec[i].relocation_count > relocs_max - relocs_total)
 			return -EINVAL;
+		relocs_total += exec[i].relocation_count;

 		length = exec[i].relocation_count *
 			sizeof(struct drm_i915_gem_relocation_entry);
--
1.8.1.2

More information about the kernel-team mailing list