linux-cavium: CVE-2017-5577

vc4: Heap-buffer overflow due to failing checks Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5577 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 12:28:00 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-29 13:08:46 +0200
commit: 457bb241d20a2434228b566dc74a2a4bbee6c4ef (patch)
tree: 03f7c1ad0ee7e0cd9294ab7379fa58b62eb96241
parent: 894bce5eff9262bb5376640409580c37bdc081c3 (diff)
download: meta-enea-bsp-arm-457bb241d20a2434228b566dc74a2a4bbee6c4ef.tar.gz
2 files changed, 39 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch
new file mode 100644
index 0000000..e50e108
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch
@@ -0,0 +1,38 @@
+From cfba2a001d0e36905016bb4f87fc47245c944c36 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Tue, 17 Jan 2017 21:58:06 +1100
+Subject: [PATCH] drm/vc4: Return -EINVAL on the overflow checks failing.
+commit 6b8ac63847bc2f958dd93c09edc941a0118992d9 upstream.
+By failing to set the errno, we'd continue on to trying to set up the
+RCL, and then oops on trying to dereference the tile_bo that binning
+validation should have set up.
+CVE: CVE-2017-5577
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
+index 39ef674..18e3717 100644
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
+++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -601,6 +601,7 @@ struct vc4_hang_state {
+                                          sizeof(struct vc4_shader_state)) ||
+            temp_size < exec_size) {
+                DRM_ERROR("overflow in exec arguments\n");
+               ret = -EINVAL;
+                goto fail;
+        }
+ 
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index cc3e666..8ff28fd 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -18,6 +18,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2016-10154.patch \
           file://CVE-2016-10208.patch \
           file://CVE-2017-5551.patch \
+           file://CVE-2017-5577.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 12:28:00 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-29 13:08:46 +0200
commit	457bb241d20a2434228b566dc74a2a4bbee6c4ef (patch)
tree	03f7c1ad0ee7e0cd9294ab7379fa58b62eb96241
parent	894bce5eff9262bb5376640409580c37bdc081c3 (diff)
download	meta-enea-bsp-arm-457bb241d20a2434228b566dc74a2a4bbee6c4ef.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch new file mode 100644 index 0000000..e50e108 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch
@@ -0,0 +1,38 @@
		1	From cfba2a001d0e36905016bb4f87fc47245c944c36 Mon Sep 17 00:00:00 2001
		2	From: Eric Anholt <eric@anholt.net>
		3	Date: Tue, 17 Jan 2017 21:58:06 +1100
		4	Subject: [PATCH] drm/vc4: Return -EINVAL on the overflow checks failing.
		5
		6	commit 6b8ac63847bc2f958dd93c09edc941a0118992d9 upstream.
		7
		8	By failing to set the errno, we'd continue on to trying to set up the
		9	RCL, and then oops on trying to dereference the tile_bo that binning
		10	validation should have set up.
		11
		12	CVE: CVE-2017-5577
		13	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		14
		15	Reported-by: Ingo Molnar <mingo@kernel.org>
		16	Signed-off-by: Eric Anholt <eric@anholt.net>
		17	Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
		18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		19	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		20	---
		21	drivers/gpu/drm/vc4/vc4_gem.c \| 1 +
		22	1 file changed, 1 insertion(+)
		23
		24	diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
		25	index 39ef674..18e3717 100644
		26	--- a/drivers/gpu/drm/vc4/vc4_gem.c
		27	+++ b/drivers/gpu/drm/vc4/vc4_gem.c
		28	@@ -601,6 +601,7 @@ struct vc4_hang_state {
		29	sizeof(struct vc4_shader_state)) \|\|
		30	temp_size < exec_size) {
		31	DRM_ERROR("overflow in exec arguments\n");
		32	+ ret = -EINVAL;
		33	goto fail;
		34	}
		35
		36	--
		37	1.9.1
		38


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index cc3e666..8ff28fd 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -18,6 +18,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
18	file://CVE-2016-10154.patch \	18	file://CVE-2016-10154.patch \
19	file://CVE-2016-10208.patch \	19	file://CVE-2016-10208.patch \
20	file://CVE-2017-5551.patch \	20	file://CVE-2017-5551.patch \
		21	file://CVE-2017-5577.patch \
21	file://CVE-2017-7487.patch \	22	file://CVE-2017-7487.patch \
22	file://CVE-2017-7618.patch \	23	file://CVE-2017-7618.patch \
23	file://CVE-2017-7645.patch \	24	file://CVE-2017-7645.patch \