From patchwork Mon May 15 11:39:53 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 762437
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3wRJY76tHyz9s7j;
	Mon, 15 May 2017 21:40:27 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b="S6kqTkt5"; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1dAEMN-0005b6-Dp; Mon, 15 May 2017 11:40:19 +0000
Received: from mail-pg0-f53.google.com ([74.125.83.53])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1dAEMI-0005ab-Ez
	for kernel-team@lists.ubuntu.com; Mon, 15 May 2017 11:40:14 +0000
Received: by mail-pg0-f53.google.com with SMTP id u28so58999131pgn.1
	for <kernel-team@lists.ubuntu.com>;
	Mon, 15 May 2017 04:40:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id;
	bh=ly2JfBykdeD5mjg+tCn9WP7IWnAGNWONbDB7w/YWDM4=;
	b=S6kqTkt5TsR0pfXkNjUM7PTNw/pbVxyhJt0RvGNiziNBF0+1uosQ2U175N3q7GAzzD
	szRNzAAEGnnCnAriPC0VvK7S/aN08Z7FL49ko2BNs0peeMLFGnn04ts9VcNyTOYhYwk8
	l91awIql/jX3+jorc9OADjdVG9h5BQZkfNwEQFp9UAUNS8PZXLSButH6Bi0HkRCMGR8K
	dzVF7vavg4CAvQtXHdrpmyAq4imb+noDQJFu4v+vxvqzRqjjPvv1TbBPCCSN7mvX1Y8K
	0DlyJdKMa3UAK4qpMCZwOHjeQ2nJl+QIkrMLZga7WZEK3RyF4p6g7THSiKk+Rql4IK0p
	1ULw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=ly2JfBykdeD5mjg+tCn9WP7IWnAGNWONbDB7w/YWDM4=;
	b=lUbw8FzP904EXmIuvWOHCPvMThae6GlJHa8hKS3GLlNqYtmKBgAiNGVLI6DuzwvotA
	FCcb9SaVxErU+X33IZ2yF8ouvNMKfXAycuUlePfL3F6jmUz1yn5QDTtFPllFzo8fJqUZ
	LBKB92gCEvHu3NLvjlaf0586qMuFtrucwsHGIsq4anoQMMO5RS3vAvTpoTIY9ajp5jhc
	T4KaAsGtFm6tCjME23HVyPVrSWz8a0/FLuW9q2XjjFp/DlBLwVtkJgBXT/9s14Y9mafv
	NYhdJvf3vekMNWPDS8yHT/aVBB7VJ6r4R/RP7hk8STWYP2ccGKcD0kAyPqpDh3V0Cgxk
	7WjQ==
X-Gm-Message-State: AODbwcBSZztH6uQuDCO3zVXqhCL/P3gezhmSDco51YldJDv5COdF5Txa
	K/rHTu0rWzg7FDP/QZQ=
X-Received: by 10.98.16.215 with SMTP id 84mr5741460pfq.210.1494848412956;
	Mon, 15 May 2017 04:40:12 -0700 (PDT)
Received: from localhost.localdomain ([175.41.48.77])
	by smtp.gmail.com with ESMTPSA id
	194sm16023855pgf.62.2017.05.15.04.40.11
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 15 May 2017 04:40:12 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [CVE-2017-7294][Yakkety] drm/vmwgfx: fix integer overflow in
	vmw_surface_define_ioctl()
Date: Mon, 15 May 2017 19:39:53 +0800
Message-Id: <1494848395-16587-1-git-send-email-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 1.7.9.5
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Li Qiang <liq3ea@gmail.com>

In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
'req->mip_levels' array. This array can be assigned any value from
the user space. As both the 'num_sizes' and the array is uint32_t,
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
used as the loop count. This can lead an oob write. Add the check of
'req->mip_levels' to avoid this.

Cc: <stable@vger.kernel.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
(cherry picked from commit e7e11f99564222d82f0ce84bd521e57d78a6678)
CVE-2017-7294
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index c2a721a..aa0108d 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -715,8 +715,11 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
 			128;
 
 	num_sizes = 0;
-	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
+		if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
+			return -EINVAL;
 		num_sizes += req->mip_levels[i];
+	}
 
 	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
 	    DRM_VMW_MAX_MIP_LEVELS)