[kernel] CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)

Josh Boyer jwboyer at fedoraproject.org
Tue Mar 12 13:09:38 UTC 2013 

commit c9ae2ee093a90e72ce3088af7774ba37ec08f164
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Mar 12 09:07:02 2013 -0400

    CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)

 ...-bounds-check-execbuffer-relocation-count.patch |  100 ++++++++++++++++++++
 kernel.spec                                        |    7 ++
 2 files changed, 107 insertions(+), 0 deletions(-)
---
diff --git a/drm-i915-bounds-check-execbuffer-relocation-count.patch b/drm-i915-bounds-check-execbuffer-relocation-count.patch
new file mode 100644
index 0000000..1377a52
--- /dev/null
+++ b/drm-i915-bounds-check-execbuffer-relocation-count.patch
@@ -0,0 +1,100 @@
+                                                                                                                                                                                                                                                               
+Delivered-To: jwboyer at gmail.com
+Received: by 10.76.169.233 with SMTP id ah9csp107244oac;
+        Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
+X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048;
+        Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
+Return-Path: <linux-kernel-owner at vger.kernel.org>
+Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
+        by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12;
+        Mon, 11 Mar 2013 17:32:43 -0700 (PDT)
+Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner at vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
+Authentication-Results: mx.google.com;
+       spf=pass (google.com: best guess record for domain of linux-kernel-owner at vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner at vger.kernel.org
+Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+	id S1754633Ab3CLAbx (ORCPT <rfc822;cpulmkl at gmail.com> + 99 others);
+	Mon, 11 Mar 2013 20:31:53 -0400
+Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net"
+	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+	id S1754446Ab3CLAbx (ORCPT <rfc822;linux-kernel at vger.kernel.org>);
+	Mon, 11 Mar 2013 20:31:53 -0400
+Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
+	by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342;
+	Mon, 11 Mar 2013 17:31:45 -0700
+Date:	Mon, 11 Mar 2013 17:31:45 -0700
+From:	Kees Cook <keescook at chromium.org>
+To:	linux-kernel at vger.kernel.org
+Cc:	Daniel Vetter <daniel.vetter at ffwll.ch>,
+	David Airlie <airlied at linux.ie>,
+	dri-devel at lists.freedesktop.org, intel-gfx at lists.freedesktop.org,
+	Julien Tinnes <jln at google.com>, marcheu at chromium.org
+Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count
+Message-ID: <20130312003145.GA28993 at www.outflux.net>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+X-MIMEDefang-Filter: outflux$Revision: 1.316 $
+X-HELO:	www.outflux.net
+X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
+Sender:	linux-kernel-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List:	linux-kernel at vger.kernel.org
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Pinkie Pie
+Cc: stable at vger.kernel.org
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index b3a40ee..094ba41 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
+ 		   int count)
+ {
+ 	int i;
++	int relocs_total = 0;
++	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+ 
+ 	for (i = 0; i < count; i++) {
+ 		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
+ 		if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS)
+ 			return -EINVAL;
+ 
+-		/* First check for malicious input causing overflow */
+-		if (exec[i].relocation_count >
+-		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++		/* First check for malicious input causing overflow in
++		 * the worst case where we need to allocate the entire
++		 * relocation tree as a single array.
++		 */
++		if (exec[i].relocation_count > relocs_max - relocs_total)
+ 			return -EINVAL;
++		relocs_total += exec[i].relocation_count;
+ 
+ 		length = exec[i].relocation_count *
+ 			sizeof(struct drm_i915_gem_relocation_entry);
+-- 
+1.7.9.5
+
+
+-- 
+Kees Cook
+Chrome OS Security
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at  http://www.tux.org/lkml/
diff --git a/kernel.spec b/kernel.spec
index cc545ce..a38f224 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -745,6 +745,9 @@ Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
 #CVE-2013-0914 rhbz 920499 920510
 Patch21270: signal-always-clear-sa_restorer-on-execve.patch
 
+#CVE-2013-0913 rhbz 920471 920529
+Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
+
 Patch22000: weird-root-dentry-name-debug.patch
 
 #selinux ptrace child permissions
@@ -1448,6 +1451,9 @@ ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
 #CVE-2013-0914 rhbz 920499 920510
 ApplyPatch signal-always-clear-sa_restorer-on-execve.patch
 
+#CVE-2013-0913 rhbz 920471 920529
+ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2290,6 +2296,7 @@ fi
 #                 ||     ||
 %changelog
 * Tue Mar 12 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529)
 - CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510)
 
 * Tue Mar 12 2013 Dave Airlie <airlied at redhat.com>

More information about the scm-commits mailing list