Message ID | 1495195464-20395-1-git-send-email-po-hsu.lin@canonical.com |
---|---|
State | New |
Headers | show |
On 19.05.2017 14:04, Po-Hsu Lin wrote: > From: Eric Anholt <eric@anholt.net> > > By failing to set the errno, we'd continue on to trying to set up the > RCL, and then oops on trying to dereference the tile_bo that binning > validation should have set up. > > Reported-by: Ingo Molnar <mingo@kernel.org> > Signed-off-by: Eric Anholt <eric@anholt.net> > Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") > (cherry picked Was this for Yakkety and replaced by an updated submission? -Stefan from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9) > CVE-2017-5577 > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > drivers/gpu/drm/vc4/vc4_gem.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c > index ae1609e..2f732f9 100644 > --- a/drivers/gpu/drm/vc4/vc4_gem.c > +++ b/drivers/gpu/drm/vc4/vc4_gem.c > @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) > sizeof(struct vc4_shader_state)) || > temp_size < exec_size) { > DRM_ERROR("overflow in exec arguments\n"); > + ret = -EINVAL; > goto fail; > } > >
Hello, Yes, this patch is for Yakkety, I have NAKed this one as I forgot to add the [CVE-2017-5577][Yakkety] in the title (the content is the same) Please refer to the [CVE-2017-5577][Yakkety] drm/vc4: Return -EINVAL on the overflow checks failing. Thanks On Tue, May 23, 2017 at 4:31 PM, Stefan Bader <stefan.bader@canonical.com> wrote: > On 19.05.2017 14:04, Po-Hsu Lin wrote: >> From: Eric Anholt <eric@anholt.net> >> >> By failing to set the errno, we'd continue on to trying to set up the >> RCL, and then oops on trying to dereference the tile_bo that binning >> validation should have set up. >> >> Reported-by: Ingo Molnar <mingo@kernel.org> >> Signed-off-by: Eric Anholt <eric@anholt.net> >> Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") >> (cherry picked > > Was this for Yakkety and replaced by an updated submission? > > -Stefan > > from commit 6b8ac63847bc2f958dd93c09edc941a0118992d9) >> CVE-2017-5577 >> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> >> --- >> drivers/gpu/drm/vc4/vc4_gem.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c >> index ae1609e..2f732f9 100644 >> --- a/drivers/gpu/drm/vc4/vc4_gem.c >> +++ b/drivers/gpu/drm/vc4/vc4_gem.c >> @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) >> sizeof(struct vc4_shader_state)) || >> temp_size < exec_size) { >> DRM_ERROR("overflow in exec arguments\n"); >> + ret = -EINVAL; >> goto fail; >> } >> >> > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c index ae1609e..2f732f9 100644 --- a/drivers/gpu/drm/vc4/vc4_gem.c +++ b/drivers/gpu/drm/vc4/vc4_gem.c @@ -603,6 +603,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) sizeof(struct vc4_shader_state)) || temp_size < exec_size) { DRM_ERROR("overflow in exec arguments\n"); + ret = -EINVAL; goto fail; }