diff mbox

[CVE-2017-5577,Yakkety] drm/vc4: Return -EINVAL on the overflow checks failing.

Message ID 1495195712-20550-1-git-send-email-po-hsu.lin@canonical.com
State New
Headers show

Commit Message

Po-Hsu Lin May 19, 2017, 12:08 p.m. UTC 
From: Eric Anholt <eric@anholt.net>

By failing to set the errno, we'd continue on to trying to set up the
RCL, and then oops on trying to dereference the tile_bo that binning
validation should have set up.

Reported-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
(cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
CVE-2017-5577
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 drivers/gpu/drm/vc4/vc4_gem.c |    1 +
 1 file changed, 1 insertion(+)

Comments

Colin Ian King May 19, 2017, 12:13 p.m. UTC | #1 
On 19/05/17 13:08, Po-Hsu Lin wrote:
> From: Eric Anholt <eric@anholt.net>
> 
> By failing to set the errno, we'd continue on to trying to set up the
> RCL, and then oops on trying to dereference the tile_bo that binning
> validation should have set up.
> 
> Reported-by: Ingo Molnar <mingo@kernel.org>
> Signed-off-by: Eric Anholt <eric@anholt.net>
> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
> (cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
> CVE-2017-5577
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  drivers/gpu/drm/vc4/vc4_gem.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
> index ae1609e..2f732f9 100644
> --- a/drivers/gpu/drm/vc4/vc4_gem.c
> +++ b/drivers/gpu/drm/vc4/vc4_gem.c
> @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
>  					  sizeof(struct vc4_shader_state)) ||
>  	    temp_size < exec_size) {
>  		DRM_ERROR("overflow in exec arguments\n");
> +		ret = -EINVAL;
>  		goto fail;
>  	}
>  
> 
Clean upstream cherry pick, fixes an genuine issue. Makes sense.

Acked-by: Colin Ian King <colin.king@canonical.com>
Seth Forshee May 19, 2017, 12:31 p.m. UTC | #2 
On Fri, May 19, 2017 at 08:08:32PM +0800, Po-Hsu Lin wrote:
> From: Eric Anholt <eric@anholt.net>
> 
> By failing to set the errno, we'd continue on to trying to set up the
> RCL, and then oops on trying to dereference the tile_bo that binning
> validation should have set up.
> 
> Reported-by: Ingo Molnar <mingo@kernel.org>
> Signed-off-by: Eric Anholt <eric@anholt.net>
> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
> (cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9)
> CVE-2017-5577
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

Acked-by: Seth Forshee <seth.forshee@canonical.com>
Thadeu Lima de Souza Cascardo May 31, 2017, 12:02 p.m. UTC | #3 
Applied to yakkety master-next branch.

Thanks.
Cascardo.
diff mbox

Patch

diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
index ae1609e..2f732f9 100644
--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
@@ -603,6 +603,7 @@  vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
 					  sizeof(struct vc4_shader_state)) ||
 	    temp_size < exec_size) {
 		DRM_ERROR("overflow in exec arguments\n");
+		ret = -EINVAL;
 		goto fail;
 	}