CVE-2017-7346-drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch

   1 From ab13cf852828060a7d9550c05197e5303de7aefb Mon Sep 17 00:00:00 2001
   2 From: Vladis Dronov <vdronov@redhat.com>
   3 Date: Wed, 14 Jun 2017 11:09:00 +0200
   4 Subject: [PATCH 4/5] drm/vmwgfx: limit the number of mip levels in
   5  vmw_gb_surface_define_ioctl()
   6
   7 CVE-2017-7346
   8
   9 The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
  10 a user-controlled 'uint32_t' value which is used as a loop count limit.
  11 This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.
  12
  13 References:
  14 https://bugzilla.redhat.com/show_bug.cgi?id=1437431
  15
  16 Cc: <stable@vger.kernel.org>
  17 Signed-off-by: Vladis Dronov <vdronov@redhat.com>
  18 Reviewed-by: Sinclair Yeh <syeh@vmware.com>
  19
  20 (cherry picked from commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf)
  21 Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
  22 Acked-by: Stefan Bader <stefan.bader@canonical.com>
  23 Acked-by: Seth Forshee <seth.forshee@canonical.com>
  24 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  25 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  26 ---
  27  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++
  28  1 file changed, 3 insertions(+)
  29
  30 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  31 index 8da50fce3b77..56b803384ea2 100644
  32 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  33 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  34 @@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
  35         if (req->multisample_count != 0)
  36                 return -EINVAL;
  37
  38 +       if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
  39 +               return -EINVAL;
  40 +
  41         if (unlikely(vmw_user_surface_size == 0))
  42                 vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
  43                         128;
  44 --
  45 2.11.0
  46