From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Chris Wilson" <chris@chris-wilson.co.uk>,
"Dave Airlie" <airlied@redhat.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
dri-devel@lists.freedesktop.org
Subject: [PATCH 3.4 25/26] drm: Prevent overwriting from userspace underallocating core ioctl structs
Date: Fri, 8 Nov 2013 22:51:54 -0800 [thread overview]
Message-ID: <20131109065051.955981364@linuxfoundation.org> (raw)
In-Reply-To: <20131109065050.089866597@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
commit b062672e305ce071f21eb9e18b102c2a430e0999 upstream.
Apply the protections from
commit 1b2f1489633888d4a06028315dc19d65768a1c05
Author: Dave Airlie <airlied@redhat.com>
Date: Sat Aug 14 20:20:34 2010 +1000
drm: block userspace under allocating buffer and having drivers overwrite it (v2)
to the core ioctl structs as well, for we found one instance where there
is a 32-/64-bit size mismatch and were guilty of writing beyond the end
of the user's buffer.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Dave Airlie <airlied@redhat.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_drv.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -420,9 +420,16 @@ long drm_ioctl(struct file *filp,
asize = drv_size;
}
else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
+ u32 drv_size;
+
ioctl = &drm_ioctls[nr];
- cmd = ioctl->cmd;
+
+ drv_size = _IOC_SIZE(ioctl->cmd);
usize = asize = _IOC_SIZE(cmd);
+ if (drv_size > asize)
+ asize = drv_size;
+
+ cmd = ioctl->cmd;
} else
goto err_i1;
next prev parent reply other threads:[~2013-11-09 6:51 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-09 6:51 [PATCH 3.4 00/26] 3.4.69-stable review Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 01/26] USB: support new huawei devices in option.c Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 02/26] USB: quirks.c: add one device that cannot deal with suspension Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 03/26] USB: quirks: add touchscreen that is dazzeled by remote wakeup Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 04/26] USB: serial: ftdi_sio: add id for Z3X Box device Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 05/26] mac80211: correctly close cancelled scans Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 06/26] mac80211: update sta->last_rx on acked tx frames Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 07/26] rtlwifi: rtl8192cu: Fix error in pointer arithmetic Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 08/26] jfs: fix error path in ialloc Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 09/26] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 10/26] libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 11/26] md: Fix skipping recovery for read-only arrays Greg Kroah-Hartman
2013-11-17 4:11 ` Ben Hutchings
2013-11-17 7:20 ` NeilBrown
2013-11-09 6:51 ` [PATCH 3.4 12/26] clockevents: Sanitize ticks to nsec conversion Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 13/26] parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 14/26] ALSA: hda - Add a fixup for ASUS N76VZ Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 15/26] ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 16/26] ASoC: wm_hubs: Add missing break in hp_supply_event() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 17/26] ASoC: dapm: Fix source list debugfs outputs Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 18/26] staging: ozwpan: prevent overflow in oz_cdev_write() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 19/26] Staging: bcm: info leak in ioctl Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 20/26] uml: check length in exitcode_proc_write() Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 21/26] xtensa: dont use alternate signal stack on threads Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 22/26] lib/scatterlist.c: dont flush_kernel_dcache_page on slab page Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 23/26] aacraid: missing capable() check in compat ioctl Greg Kroah-Hartman
2013-11-09 6:51 ` [PATCH 3.4 24/26] mm: fix aio performance regression for database caused by THP Greg Kroah-Hartman
2013-11-09 6:51 ` Greg Kroah-Hartman [this message]
2013-11-09 6:51 ` [PATCH 3.4 26/26] drm/radeon/atom: workaround vbios bug in transmitter table on rs780 Greg Kroah-Hartman
2013-11-09 14:24 ` [PATCH 3.4 00/26] 3.4.69-stable review Satoru Takeuchi
2013-11-09 16:19 ` Greg Kroah-Hartman
2013-11-09 16:58 ` Guenter Roeck
2013-11-09 17:12 ` Greg Kroah-Hartman
2013-11-11 17:58 ` Shuah Khan
2013-11-11 22:51 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131109065051.955981364@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=airlied@redhat.com \
--cc=chris@chris-wilson.co.uk \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).