[kernel/f12/master] drm-i915-sanity-check-pread-pwrite.patch: backport fix for CVE-2010-2962

Chuck Ebbert cebbert at fedoraproject.org
Sat Oct 23 05:25:55 UTC 2010 

commit f69fa2ae2c275cccd43a9935f9188d50b5c27cc0
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Sat Oct 23 01:23:31 2010 -0400

    drm-i915-sanity-check-pread-pwrite.patch: backport fix for CVE-2010-2962

 drm-i915-sanity-check-pread-pwrite.patch |   90 ++++++++++++++++++++++++++++++
 kernel.spec                              |   22 +++++---
 2 files changed, 104 insertions(+), 8 deletions(-)
---
diff --git a/drm-i915-sanity-check-pread-pwrite.patch b/drm-i915-sanity-check-pread-pwrite.patch
new file mode 100644
index 0000000..ca6d2bc
--- /dev/null
+++ b/drm-i915-sanity-check-pread-pwrite.patch
@@ -0,0 +1,90 @@
+From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris at chris-wilson.co.uk>
+Date: Sun, 26 Sep 2010 20:50:05 +0100
+Subject: drm/i915: Sanity check pread/pwrite
+
+From: Chris Wilson <chris at chris-wilson.co.uk>
+
+commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.
+
+Move the access control up from the fast paths, which are no longer
+universally taken first, up into the caller. This then duplicates some
+sanity checking along the slow paths, but is much simpler.
+Tracked as CVE-2010-2962.
+
+Reported-by: Kees Cook <kees at ubuntu.com>
+Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+Backported-by: Chuck Ebbert <cebbert at redhat.com> 2.6.32
+
+---
+ drivers/gpu/drm/i915/i915_gem.c |   28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device *
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_WRITE,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	if (i915_gem_object_needs_bit17_swizzle(obj)) {
+@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device *
+ 							file_priv);
+ 	}
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
+@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi
+ 
+ 	user_data = (char __user *) (uintptr_t) args->data_ptr;
+ 	remain = args->size;
+-	if (!access_ok(VERIFY_READ, user_data, remain))
+-		return -EFAULT;
+ 
+ 
+ 	mutex_lock(&dev->struct_mutex);
+@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 	 */
+ 	if (args->offset > obj->size || args->size > obj->size ||
+ 	    args->offset + args->size > obj->size) {
+-		drm_gem_object_unreference(obj);
+-		return -EINVAL;
++		ret = -EINVAL;
++		goto err;
++	}
++
++	if (!access_ok(VERIFY_READ,
++		       (char __user *)(uintptr_t)args->data_ptr,
++		       args->size)) {
++		ret = -EFAULT;
++		goto err;
+ 	}
+ 
+ 	/* We can only do the GTT pwrite on untiled buffers, as otherwise
+@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device
+ 		DRM_INFO("pwrite failed %d\n", ret);
+ #endif
+ 
++err:
+ 	drm_gem_object_unreference(obj);
+-
+ 	return ret;
+ }
+ 
diff --git a/kernel.spec b/kernel.spec
index 342f776..9bbccfc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -728,14 +728,16 @@ Patch1824: drm-intel-next.patch
 Patch1825: drm-intel-acpi-populate-didl.patch
 Patch1826: drm-intel-make-lvds-work.patch
 #Patch1827: linux-2.6-intel-agp-clear-gtt.patch
-Patch1828: drm-nouveau-g80-ctxprog.patch
-Patch1831: drm-nouveau-tvout-disable.patch
-Patch1832: drm-nouveau-safetile-getparam.patch
-Patch1844: drm-nouveau-kconfig.patch
-Patch1845: drm-nouveau-mutex.patch
-Patch1846: drm-nouveau-update.patch
-Patch1847: drm-nouveau-d620.patch
-Patch1848: drm-nouveau-nva3-noaccel.patch
+Patch1828: drm-i915-sanity-check-pread-pwrite.patch
+
+Patch1850: drm-nouveau-g80-ctxprog.patch
+Patch1851: drm-nouveau-tvout-disable.patch
+Patch1852: drm-nouveau-safetile-getparam.patch
+Patch1853: drm-nouveau-kconfig.patch
+Patch1854: drm-nouveau-mutex.patch
+Patch1855: drm-nouveau-update.patch
+Patch1856: drm-nouveau-d620.patch
+Patch1857: drm-nouveau-nva3-noaccel.patch
 
 # kludge to make ich9 e1000 work
 Patch2000: linux-2.6-e1000-ich9.patch
@@ -1467,6 +1469,8 @@ ApplyPatch drm-intel-acpi-populate-didl.patch
 ApplyPatch drm-intel-make-lvds-work.patch
 # gm45 stability fixes
 ApplyPatch drm-intel-945gm-stability-fixes.patch
+# CVE-2010-2962
+ApplyPatch drm-i915-sanity-check-pread-pwrite.patch
 
 ApplyPatch drm-nouveau-g80-ctxprog.patch
 ApplyPatch drm-nouveau-tvout-disable.patch
@@ -2226,6 +2230,8 @@ fi
    xen-fix-typo-in-xen-irq-fix.patch
    r8169-fix-dma-allocations.patch
    skge-quirk-to-4gb-dma.patch
+- drm-i915-sanity-check-pread-pwrite.patch: backport fix for
+   CVE-2010-2962
 
 * Thu Oct 14 2010 Kyle McMartin <kyle at redhat.com>
 - rhbz447489: skge-quirk-to-4gb-dma.patch

More information about the scm-commits mailing list