Message ID | 1495195712-20550-1-git-send-email-po-hsu.lin@canonical.com |
---|---|
State | New |
Headers | show |
On 19/05/17 13:08, Po-Hsu Lin wrote: > From: Eric Anholt <eric@anholt.net> > > By failing to set the errno, we'd continue on to trying to set up the > RCL, and then oops on trying to dereference the tile_bo that binning > validation should have set up. > > Reported-by: Ingo Molnar <mingo@kernel.org> > Signed-off-by: Eric Anholt <eric@anholt.net> > Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") > (cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9) > CVE-2017-5577 > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > drivers/gpu/drm/vc4/vc4_gem.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c > index ae1609e..2f732f9 100644 > --- a/drivers/gpu/drm/vc4/vc4_gem.c > +++ b/drivers/gpu/drm/vc4/vc4_gem.c > @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) > sizeof(struct vc4_shader_state)) || > temp_size < exec_size) { > DRM_ERROR("overflow in exec arguments\n"); > + ret = -EINVAL; > goto fail; > } > > Clean upstream cherry pick, fixes an genuine issue. Makes sense. Acked-by: Colin Ian King <colin.king@canonical.com>
On Fri, May 19, 2017 at 08:08:32PM +0800, Po-Hsu Lin wrote: > From: Eric Anholt <eric@anholt.net> > > By failing to set the errno, we'd continue on to trying to set up the > RCL, and then oops on trying to dereference the tile_bo that binning > validation should have set up. > > Reported-by: Ingo Molnar <mingo@kernel.org> > Signed-off-by: Eric Anholt <eric@anholt.net> > Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") > (cherry picked from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9) > CVE-2017-5577 > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com>
Applied to yakkety master-next branch. Thanks. Cascardo.
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c index ae1609e..2f732f9 100644 --- a/drivers/gpu/drm/vc4/vc4_gem.c +++ b/drivers/gpu/drm/vc4/vc4_gem.c @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) sizeof(struct vc4_shader_state)) || temp_size < exec_size) { DRM_ERROR("overflow in exec arguments\n"); + ret = -EINVAL; goto fail; }