From fbf9890dbb2e92476c5d8ae5f2ea3bc7fce98efb Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Thu, 2 Feb 2017 08:56:26 -0800 Subject: [PATCH] Linux v4.9.7 --- ...rflow_in_temporary_allocation_layout.patch | 82 ------------------- kernel.spec | 8 +- sources | 2 +- 3 files changed, 5 insertions(+), 87 deletions(-) delete mode 100644 drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch diff --git a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch deleted file mode 100644 index 37f012073..000000000 --- a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Eric Anholt -To: dri-devel@lists.freedesktop.org -Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary - allocation layout. -Date: Wed, 18 Jan 2017 07:20:49 +1100 - -We copy the unvalidated ioctl arguments from the user into kernel -temporary memory to run the validation from, to avoid a race where the -user updates the unvalidate contents in between validating them and -copying them into the validated BO. - -However, in setting up the layout of the kernel side, we failed to -check one of the additions (the roundup() for shader_rec_offset) -against integer overflow, allowing a nearly MAX_UINT value of -bin_cl_size to cause us to under-allocate the temporary space that we -then copy_from_user into. - -Reported-by: Murray McAllister -Signed-off-by: Eric Anholt -Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") ---- - drivers/gpu/drm/vc4/vc4_gem.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c -index db920771bfb5..c5fe3554858e 100644 ---- a/drivers/gpu/drm/vc4/vc4_gem.c -+++ b/drivers/gpu/drm/vc4/vc4_gem.c -@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) - args->shader_rec_count); - struct vc4_bo *bo; - -- if (uniforms_offset < shader_rec_offset || -+ if (shader_rec_offset < args->bin_cl_size || -+ uniforms_offset < shader_rec_offset || - exec_size < uniforms_offset || - args->shader_rec_count >= (UINT_MAX / - sizeof(struct vc4_shader_state)) || --- -2.11.0 - -_______________________________________________ -dri-devel mailing list -dri-devel@lists.freedesktop.org -https://lists.freedesktop.org/mailman/listinfo/dri-devel - -From: Eric Anholt -To: dri-devel@lists.freedesktop.org -Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing. -Date: Wed, 18 Jan 2017 07:20:50 +1100 - -By failing to set the errno, we'd continue on to trying to set up the -RCL, and then oops on trying to dereference the tile_bo that binning -validation should have set up. - -Reported-by: Ingo Molnar -Signed-off-by: Eric Anholt -Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") ---- - drivers/gpu/drm/vc4/vc4_gem.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c -index c5fe3554858e..ab3016982466 100644 ---- a/drivers/gpu/drm/vc4/vc4_gem.c -+++ b/drivers/gpu/drm/vc4/vc4_gem.c -@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) - sizeof(struct vc4_shader_state)) || - temp_size < exec_size) { - DRM_ERROR("overflow in exec arguments\n"); -+ ret = -EINVAL; - goto fail; - } - --- -2.11.0 - -_______________________________________________ -dri-devel mailing list -dri-devel@lists.freedesktop.org -https://lists.freedesktop.org/mailman/listinfo/dri-devel - diff --git a/kernel.spec b/kernel.spec index 43ded8ad8..0d64314cb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -633,9 +633,6 @@ Patch851: selinux-namespace-fix.patch #rhbz 1390308 Patch852: nouveau-add-maxwell-to-backlight-init.patch -#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439 -Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch - #The saddest EFI firmware bug Patch854: 0001-x86-efi-always-map-first-physical-page-into-EFI-page.patch @@ -2189,6 +2186,9 @@ fi # # %changelog +* Thu Feb 02 2017 Laura Abbott - 4.9.7-200 +- Linux v4.9.7 + * Tue Jan 31 2017 Justin M. Forbes - Fix kvm nested virt CVE-2017-2596 (rhbz 1417812 1417813) diff --git a/sources b/sources index 578616825..be324d25e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 -SHA512 (patch-4.9.6.xz) = 230ab118639d19b7a473e75f5463ea9add3db8cb70fe3ba546e053fc1bd32b1d353eb1c107f5467e5f24a26c43c623cf79cf8d5a5cef85613e4da989a6c0326a +SHA512 (patch-4.9.7.xz) = 48592d15efd6111eaacfa47a6def496bcc120f39bd93afccf4f23c7b93cc320638349890c67ba14792b5330a9a4c7e7fa74db6f84f4df92d20a2bf5a3eb3dcc6