From 457bb241d20a2434228b566dc74a2a4bbee6c4ef Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 12:28:00 +0200 Subject: linux-cavium: CVE-2017-5577 vc4: Heap-buffer overflow due to failing checks Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5577 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../linux/linux-cavium/CVE-2017-5577.patch | 38 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 39 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch new file mode 100644 index 0000000..e50e108 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5577.patch @@ -0,0 +1,38 @@ +From cfba2a001d0e36905016bb4f87fc47245c944c36 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Tue, 17 Jan 2017 21:58:06 +1100 +Subject: [PATCH] drm/vc4: Return -EINVAL on the overflow checks failing. + +commit 6b8ac63847bc2f958dd93c09edc941a0118992d9 upstream. + +By failing to set the errno, we'd continue on to trying to set up the +RCL, and then oops on trying to dereference the tile_bo that binning +validation should have set up. + +CVE: CVE-2017-5577 +Upstream-Status: Backport [from kernel.org longterm 4.9.52] + +Reported-by: Ingo Molnar +Signed-off-by: Eric Anholt +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 39ef674..18e3717 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -601,6 +601,7 @@ struct vc4_hang_state { + sizeof(struct vc4_shader_state)) || + temp_size < exec_size) { + DRM_ERROR("overflow in exec arguments\n"); ++ ret = -EINVAL; + goto fail; + } + +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index cc3e666..8ff28fd 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -18,6 +18,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://CVE-2016-10154.patch \ file://CVE-2016-10208.patch \ file://CVE-2017-5551.patch \ + file://CVE-2017-5577.patch \ file://CVE-2017-7487.patch \ file://CVE-2017-7618.patch \ file://CVE-2017-7645.patch \ -- cgit v1.2.3-54-g00ecf