From c140072f7fefdce83c51dba202694cbad0a03e7f Mon Sep 17 00:00:00 2001 From: Chuck Ebbert Date: Dec 10 2010 19:47:45 +0000 Subject: CVE-2010-2962: arbitrary kernel memory write via i915 GEM ioctl --- diff --git a/drm-i915-sanity-check-pread-pwrite.patch b/drm-i915-sanity-check-pread-pwrite.patch new file mode 100644 index 0000000..d439bb6 --- /dev/null +++ b/drm-i915-sanity-check-pread-pwrite.patch @@ -0,0 +1,87 @@ +From: Chris Wilson +Date: Sun, 26 Sep 2010 19:50:05 +0000 (+0100) +Subject: drm/i915: Sanity check pread/pwrite +X-Git-Tag: v2.6.36-rc7~17^2~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 + +drm/i915: Sanity check pread/pwrite + +Move the access control up from the fast paths, which are no longer +universally taken first, up into the caller. This then duplicates some +sanity checking along the slow paths, but is much simpler. +Tracked as CVE-2010-2962. + +Reported-by: Kees Cook +Signed-off-by: Chris Wilson +Cc: stable@kernel.org +--- + +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index cfe5978..7749e78 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -477,8 +477,15 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference_unlocked(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_WRITE, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + if (i915_gem_object_needs_bit17_swizzle(obj)) { +@@ -490,8 +497,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, + file_priv); + } + ++err: + drm_gem_object_unreference_unlocked(obj); +- + return ret; + } + +@@ -580,8 +587,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj, + + user_data = (char __user *) (uintptr_t) args->data_ptr; + remain = args->size; +- if (!access_ok(VERIFY_READ, user_data, remain)) +- return -EFAULT; + + + mutex_lock(&dev->struct_mutex); +@@ -940,8 +945,15 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference_unlocked(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_READ, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + /* We can only do the GTT pwrite on untiled buffers, as otherwise +@@ -975,8 +987,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, + DRM_INFO("pwrite failed %d\n", ret); + #endif + ++err: + drm_gem_object_unreference_unlocked(obj); +- + return ret; + } + diff --git a/kernel.spec b/kernel.spec index 0779ca9..378824a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -720,6 +720,8 @@ Patch1903: drm-nouveau-pusher-intr.patch Patch1904: drm-nouveau-ibdma-race.patch # radeon Patch1905: drm-radeon-kms-mc-vram-map-needs-to-be-gteq-pci-aperature.patch +# CVE-2010-2962 +Patch1906: drm-i915-sanity-check-pread-pwrite.patch # linux1394 git patches Patch2200: linux-2.6-firewire-git-update.patch @@ -1482,6 +1484,8 @@ ApplyPatch drm-radeon-resume-fixes.patch # rhbz#632310 ApplyPatch drm-radeon-kms-mc-vram-map-needs-to-be-gteq-pci-aperature.patch ApplyPatch linux-2.6-intel-iommu-igfx.patch +# CVE-2010-2962 +ApplyPatch drm-i915-sanity-check-pread-pwrite.patch # linux1394 git patches ApplyOptionalPatch linux-2.6-firewire-git-update.patch @@ -2299,6 +2303,9 @@ fi %changelog +* Fri Dec 10 2010 Chuck Ebbert +- CVE-2010-2962: arbitrary kernel memory write via i915 GEM ioctl + * Thu Dec 09 2010 Kyle McMartin - ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch from 2.6.35.y (#605845) [556ab45f]