pve-kernel-qoup/CVE-2017-7346-drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch

From ab13cf852828060a7d9550c05197e5303de7aefb Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Wed, 14 Jun 2017 11:09:00 +0200
Subject: [PATCH 4/5] drm/vmwgfx: limit the number of mip levels in
 vmw_gb_surface_define_ioctl()

CVE-2017-7346

The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
a user-controlled 'uint32_t' value which is used as a loop count limit.
This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1437431

Cc: <stable@vger.kernel.org>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>

(cherry picked from commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 8da50fce3b77..56b803384ea2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
 	if (req->multisample_count != 0)
 		return -EINVAL;
 
+	if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
+		return -EINVAL;
+
 	if (unlikely(vmw_user_surface_size == 0))
 		vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
 			128;
-- 
2.11.0
add CVE fixes CVE-2014-9900: net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() CVE-2017-7346: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() CVE-2017-9605: drm/vmwgfx: Make sure backup_handle is always valid CVE-2017-1000380: * ALSA: timer: Fix race between read and ioctl * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2017-07-12 14:49:53 +03:00			`From ab13cf852828060a7d9550c05197e5303de7aefb Mon Sep 17 00:00:00 2001`
			`From: Vladis Dronov <vdronov@redhat.com>`
			`Date: Wed, 14 Jun 2017 11:09:00 +0200`
			`Subject: [PATCH 4/5] drm/vmwgfx: limit the number of mip levels in`
			`vmw_gb_surface_define_ioctl()`

			`CVE-2017-7346`

			`The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is`
			`a user-controlled 'uint32_t' value which is used as a loop count limit.`
			`This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.`

			`References:`
			`https://bugzilla.redhat.com/show_bug.cgi?id=1437431`

			`Cc: <stable@vger.kernel.org>`
			`Signed-off-by: Vladis Dronov <vdronov@redhat.com>`
			`Reviewed-by: Sinclair Yeh <syeh@vmware.com>`

			`(cherry picked from commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf)`
			`Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>`
			`Acked-by: Stefan Bader <stefan.bader@canonical.com>`
			`Acked-by: Seth Forshee <seth.forshee@canonical.com>`
			`Signed-off-by: Stefan Bader <stefan.bader@canonical.com>`
			`Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>`
			`---`
			`drivers/gpu/drm/vmwgfx/vmwgfx_surface.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c`
			`index 8da50fce3b77..56b803384ea2 100644`
			`--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c`
			`+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c`
			`@@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device dev, void data,`
			`if (req->multisample_count != 0)`
			`return -EINVAL;`

			`+ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)`
			`+ return -EINVAL;`
			`+`
			`if (unlikely(vmw_user_surface_size == 0))`
			`vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +`
			`128;`
			`--`
			`2.11.0`