[PATCH] drm/vc4: Return -EINVAL on the overflow checks failing.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] drm/vc4: Return -EINVAL on the overflow checks failing.

Po-Hsu Lin (Sam)
From: Eric Anholt <[hidden email]>

By failing to set the errno, we'd continue on to trying to set up the
RCL, and then oops on trying to dereference the tile_bo that binning
validation should have set up.

Reported-by: Ingo Molnar <[hidden email]>
Signed-off-by: Eric Anholt <[hidden email]>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
(cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
CVE-2017-5577
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 drivers/gpu/drm/vc4/vc4_gem.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index ae1609e..2f732f9 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
   sizeof(struct vc4_shader_state)) ||
     temp_size < exec_size) {
  DRM_ERROR("overflow in exec arguments\n");
+ ret = -EINVAL;
  goto fail;
  }
 
--
1.7.9.5


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] drm/vc4: Return -EINVAL on the overflow checks failing.

Stefan Bader-2
On 19.05.2017 14:04, Po-Hsu Lin wrote:

> From: Eric Anholt <[hidden email]>
>
> By failing to set the errno, we'd continue on to trying to set up the
> RCL, and then oops on trying to dereference the tile_bo that binning
> validation should have set up.
>
> Reported-by: Ingo Molnar <[hidden email]>
> Signed-off-by: Eric Anholt <[hidden email]>
> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
> (cherry picked
Was this for Yakkety and replaced by an updated submission?

-Stefan

from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)

> CVE-2017-5577
> Signed-off-by: Po-Hsu Lin <[hidden email]>
> ---
>  drivers/gpu/drm/vc4/vc4_gem.c |    1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
> index ae1609e..2f732f9 100644
> --- a/drivers/gpu/drm/vc4/vc4_gem.c
> +++ b/drivers/gpu/drm/vc4/vc4_gem.c
> @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
>    sizeof(struct vc4_shader_state)) ||
>      temp_size < exec_size) {
>   DRM_ERROR("overflow in exec arguments\n");
> + ret = -EINVAL;
>   goto fail;
>   }
>  
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] drm/vc4: Return -EINVAL on the overflow checks failing.

Po-Hsu Lin (Sam)
Hello,
Yes, this patch is for Yakkety, I have NAKed this one as I forgot to
add the [CVE-2017-5577][Yakkety] in the title (the content is the
same)

Please refer to the [CVE-2017-5577][Yakkety] drm/vc4: Return -EINVAL
on the overflow checks failing.
Thanks

On Tue, May 23, 2017 at 4:31 PM, Stefan Bader
<[hidden email]> wrote:

> On 19.05.2017 14:04, Po-Hsu Lin wrote:
>> From: Eric Anholt <[hidden email]>
>>
>> By failing to set the errno, we'd continue on to trying to set up the
>> RCL, and then oops on trying to dereference the tile_bo that binning
>> validation should have set up.
>>
>> Reported-by: Ingo Molnar <[hidden email]>
>> Signed-off-by: Eric Anholt <[hidden email]>
>> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
>> (cherry picked
>
> Was this for Yakkety and replaced by an updated submission?
>
> -Stefan
>
> from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
>> CVE-2017-5577
>> Signed-off-by: Po-Hsu Lin <[hidden email]>
>> ---
>>  drivers/gpu/drm/vc4/vc4_gem.c |    1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
>> index ae1609e..2f732f9 100644
>> --- a/drivers/gpu/drm/vc4/vc4_gem.c
>> +++ b/drivers/gpu/drm/vc4/vc4_gem.c
>> @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
>>                                         sizeof(struct vc4_shader_state)) ||
>>           temp_size < exec_size) {
>>               DRM_ERROR("overflow in exec arguments\n");
>> +             ret = -EINVAL;
>>               goto fail;
>>       }
>>
>>
>
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team