Re: CVE Request: some drm overflow checks

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/21/2012 12:38 AM, Marcus Meissner wrote:
> Hi,
>
> spotted in xorls blog, who spotted it in the kernel stable
> changelog: 
> https://xorl.wordpress.com/2012/05/17/linux-kernel-drm-intel-i915-multiple-ioctl-integer-overflows/
>
>  It has two issues:
>
> 1. overflow of cliprect kmalloc as args->num_cliprects is not
> bounded and passed in via a user ioctl.
>
> Fixed via ed8cd3b2cd61004cab85380c52b1817aca1ca49b in mainline: 
> commit ed8cd3b2cd61004cab85380c52b1817aca1ca49b Author: Xi Wang
> <xi.wang () gmail com> Date:   Mon Apr 23 04:06:41 2012 -0400
>
> drm/i915: fix integer overflow in i915_gem_execbuffer2()
>
> On 32-bit systems, a large args->buffer_count from userspace via
> ioctl may overflow the allocation size, leading to out-of-bounds
> access.
>
> This vulnerability was introduced in commit 8408c282 ("drm/i915: 
> First try a normal large kmalloc for the temporary exec buffers").
>
>
> 8408c282 was added Feb 21 2011, and seemingly added during 2.6.38
> development.

drm/i915: fix integer overflow in i915_gem_execbuffer2()

Please use CVE-2012-2383 for this issue.

> 2. same file, overflow in args->buffer_count.
>
> Fix is in mainline 44afb3a04391a74309d16180d1e4f8386fdfa745
>
> commit 44afb3a04391a74309d16180d1e4f8386fdfa745 Author: Xi Wang
> <xi.wang () gmail com> Date:   Mon Apr 23 04:06:42 2012 -0400
>
> drm/i915: fix integer overflow in i915_gem_do_execbuffer()
>
> On 32-bit systems, a large args->num_cliprects from userspace via
> ioctl may overflow the allocation size, leading to out-of-bounds
> access.
>
> This vulnerability was introduced in commit 432e58ed ("drm/i915:
> Avoid allocation for execbuffer object list").
>
>
> 432e58ed was added during 2.6.37 development.

drm/i915: fix integer overflow in i915_gem_do_execbuffer()

Please use CVE-2012-2384 for this issue.

> I think it needs 2 CVEs, due to the different kernel versions
> introducing it.

Agreed.

> Ciao, Marcus


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPu86EAAoJEBYNRVNeJnmTrikP/i4H7U6RE9rL+a07wgBWZuIj
Q1qGp68i5hGBKXWOEQkZTLBVlbfkZL5DscNqBEhG2PBcvgoApuSvSsJ1goH7oDo0
DkTIp/C9zd889gRF8hyflvhTIsgNaPr05pVGCNNuLgoBmvYnp1+XGLi7DIjjLg/A
7P6C+TqKoQraaXaeiwc0EcHWYLIXYgyrFpnqcIJ76NzbXPiVhINQbsqXujj1D3iz
YqEGTRKNgXTos05MvsR8rxVG2wYHjG/eq2tD8ADb37xs9TRF8dDzv69FNWIf5dem
pARCnSimWZtOApY9Mj+TRh/zeUJ03RfxlR8fPzpi4q8Wcf7CITkocol9G/0MN2HL
XoYdttpEaie2PT4MVj4MnL5GjMJeAV3LCN3he56BqxgcqSJXFpbiOk69Ez854zOb
RmG3go7wC4hrz5V5i5d2rpAp3fuCOWXXhNdP+59oma5MvfF3qPqhj/vhwM5rjs8i
4COD7i3EgdgcazDLrYyavUnYSItw6H5gL5VdI6mMVmUkW9zjyrFwxTmmMi/IcuIa
6GZL/J8RG3JbFsOISA/ROP4e65Kdn6ifYaagKc9WFiv72VA9+e5GdlX6mzS+9PDj
O1v3syrSY7FUdRyntYpOFYUWXPU3ozMyeIXBvx2hLFwgB1zJd1HlpAYnB433kVUY
JjTHecw7ObVI8FTW9Qhr
=RD91
-----END PGP SIGNATURE-----