oss-sec mailing list archives
Re: CVE Request: some drm overflow checks
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 22 May 2012 11:36:04 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/21/2012 12:38 AM, Marcus Meissner wrote:
Hi, spotted in xorls blog, who spotted it in the kernel stable changelog: https://xorl.wordpress.com/2012/05/17/linux-kernel-drm-intel-i915-multiple-ioctl-integer-overflows/ It has two issues: 1. overflow of cliprect kmalloc as args->num_cliprects is not bounded and passed in via a user ioctl. Fixed via ed8cd3b2cd61004cab85380c52b1817aca1ca49b in mainline: commit ed8cd3b2cd61004cab85380c52b1817aca1ca49b Author: Xi Wang <xi.wang () gmail com> Date: Mon Apr 23 04:06:41 2012 -0400 drm/i915: fix integer overflow in i915_gem_execbuffer2() On 32-bit systems, a large args->buffer_count from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access. This vulnerability was introduced in commit 8408c282 ("drm/i915: First try a normal large kmalloc for the temporary exec buffers"). 8408c282 was added Feb 21 2011, and seemingly added during 2.6.38 development.
drm/i915: fix integer overflow in i915_gem_execbuffer2() Please use CVE-2012-2383 for this issue.
2. same file, overflow in args->buffer_count. Fix is in mainline 44afb3a04391a74309d16180d1e4f8386fdfa745 commit 44afb3a04391a74309d16180d1e4f8386fdfa745 Author: Xi Wang <xi.wang () gmail com> Date: Mon Apr 23 04:06:42 2012 -0400 drm/i915: fix integer overflow in i915_gem_do_execbuffer() On 32-bit systems, a large args->num_cliprects from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access. This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid allocation for execbuffer object list"). 432e58ed was added during 2.6.37 development.
drm/i915: fix integer overflow in i915_gem_do_execbuffer() Please use CVE-2012-2384 for this issue.
I think it needs 2 CVEs, due to the different kernel versions introducing it.
Agreed.
Ciao, Marcus
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPu86EAAoJEBYNRVNeJnmTrikP/i4H7U6RE9rL+a07wgBWZuIj Q1qGp68i5hGBKXWOEQkZTLBVlbfkZL5DscNqBEhG2PBcvgoApuSvSsJ1goH7oDo0 DkTIp/C9zd889gRF8hyflvhTIsgNaPr05pVGCNNuLgoBmvYnp1+XGLi7DIjjLg/A 7P6C+TqKoQraaXaeiwc0EcHWYLIXYgyrFpnqcIJ76NzbXPiVhINQbsqXujj1D3iz YqEGTRKNgXTos05MvsR8rxVG2wYHjG/eq2tD8ADb37xs9TRF8dDzv69FNWIf5dem pARCnSimWZtOApY9Mj+TRh/zeUJ03RfxlR8fPzpi4q8Wcf7CITkocol9G/0MN2HL XoYdttpEaie2PT4MVj4MnL5GjMJeAV3LCN3he56BqxgcqSJXFpbiOk69Ez854zOb RmG3go7wC4hrz5V5i5d2rpAp3fuCOWXXhNdP+59oma5MvfF3qPqhj/vhwM5rjs8i 4COD7i3EgdgcazDLrYyavUnYSItw6H5gL5VdI6mMVmUkW9zjyrFwxTmmMi/IcuIa 6GZL/J8RG3JbFsOISA/ROP4e65Kdn6ifYaagKc9WFiv72VA9+e5GdlX6mzS+9PDj O1v3syrSY7FUdRyntYpOFYUWXPU3ozMyeIXBvx2hLFwgB1zJd1HlpAYnB433kVUY JjTHecw7ObVI8FTW9Qhr =RD91 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: some drm overflow checks Marcus Meissner (May 20)
- Re: CVE Request: some drm overflow checks Kurt Seifried (May 22)