Quantcast

[CVE-2017-5577][Yakkety] drm/vc4: Return -EINVAL on the overflow checks failing.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[CVE-2017-5577][Yakkety] drm/vc4: Return -EINVAL on the overflow checks failing.

Po-Hsu Lin (Sam)
From: Eric Anholt <[hidden email]>

By failing to set the errno, we'd continue on to trying to set up the
RCL, and then oops on trying to dereference the tile_bo that binning
validation should have set up.

Reported-by: Ingo Molnar <[hidden email]>
Signed-off-by: Eric Anholt <[hidden email]>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
(cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
CVE-2017-5577
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 drivers/gpu/drm/vc4/vc4_gem.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index ae1609e..2f732f9 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
   sizeof(struct vc4_shader_state)) ||
     temp_size < exec_size) {
  DRM_ERROR("overflow in exec arguments\n");
+ ret = -EINVAL;
  goto fail;
  }
 
--
1.7.9.5


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ACK: [CVE-2017-5577][Yakkety] drm/vc4: Return -EINVAL on the overflow checks failing.

Colin Ian King-2
On 19/05/17 13:08, Po-Hsu Lin wrote:

> From: Eric Anholt <[hidden email]>
>
> By failing to set the errno, we'd continue on to trying to set up the
> RCL, and then oops on trying to dereference the tile_bo that binning
> validation should have set up.
>
> Reported-by: Ingo Molnar <[hidden email]>
> Signed-off-by: Eric Anholt <[hidden email]>
> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
> (cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
> CVE-2017-5577
> Signed-off-by: Po-Hsu Lin <[hidden email]>
> ---
>  drivers/gpu/drm/vc4/vc4_gem.c |    1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
> index ae1609e..2f732f9 100644
> --- a/drivers/gpu/drm/vc4/vc4_gem.c
> +++ b/drivers/gpu/drm/vc4/vc4_gem.c
> @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
>    sizeof(struct vc4_shader_state)) ||
>      temp_size < exec_size) {
>   DRM_ERROR("overflow in exec arguments\n");
> + ret = -EINVAL;
>   goto fail;
>   }
>  
>
Clean upstream cherry pick, fixes an genuine issue. Makes sense.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ACK: [CVE-2017-5577][Yakkety] drm/vc4: Return -EINVAL on the overflow checks failing.

Seth Forshee
In reply to this post by Po-Hsu Lin (Sam)
On Fri, May 19, 2017 at 08:08:32PM +0800, Po-Hsu Lin wrote:

> From: Eric Anholt <[hidden email]>
>
> By failing to set the errno, we'd continue on to trying to set up the
> RCL, and then oops on trying to dereference the tile_bo that binning
> validation should have set up.
>
> Reported-by: Ingo Molnar <[hidden email]>
> Signed-off-by: Eric Anholt <[hidden email]>
> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
> (cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
> CVE-2017-5577
> Signed-off-by: Po-Hsu Lin <[hidden email]>

Acked-by: Seth Forshee <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Loading...