Date: Tue, 22 May 2012 11:36:04 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Marcus Meissner <meissner@...e.de> Subject: Re: CVE Request: some drm overflow checks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/21/2012 12:38 AM, Marcus Meissner wrote: > Hi, > > spotted in xorls blog, who spotted it in the kernel stable > changelog: > https://xorl.wordpress.com/2012/05/17/linux-kernel-drm-intel-i915-multiple-ioctl-integer-overflows/ > > It has two issues: > > 1. overflow of cliprect kmalloc as args->num_cliprects is not > bounded and passed in via a user ioctl. > > Fixed via ed8cd3b2cd61004cab85380c52b1817aca1ca49b in mainline: > commit ed8cd3b2cd61004cab85380c52b1817aca1ca49b Author: Xi Wang > <xi.wang@...il.com> Date: Mon Apr 23 04:06:41 2012 -0400 > > drm/i915: fix integer overflow in i915_gem_execbuffer2() > > On 32-bit systems, a large args->buffer_count from userspace via > ioctl may overflow the allocation size, leading to out-of-bounds > access. > > This vulnerability was introduced in commit 8408c282 ("drm/i915: > First try a normal large kmalloc for the temporary exec buffers"). > > > 8408c282 was added Feb 21 2011, and seemingly added during 2.6.38 > development. drm/i915: fix integer overflow in i915_gem_execbuffer2() Please use CVE-2012-2383 for this issue. > 2. same file, overflow in args->buffer_count. > > Fix is in mainline 44afb3a04391a74309d16180d1e4f8386fdfa745 > > commit 44afb3a04391a74309d16180d1e4f8386fdfa745 Author: Xi Wang > <xi.wang@...il.com> Date: Mon Apr 23 04:06:42 2012 -0400 > > drm/i915: fix integer overflow in i915_gem_do_execbuffer() > > On 32-bit systems, a large args->num_cliprects from userspace via > ioctl may overflow the allocation size, leading to out-of-bounds > access. > > This vulnerability was introduced in commit 432e58ed ("drm/i915: > Avoid allocation for execbuffer object list"). > > > 432e58ed was added during 2.6.37 development. drm/i915: fix integer overflow in i915_gem_do_execbuffer() Please use CVE-2012-2384 for this issue. > I think it needs 2 CVEs, due to the different kernel versions > introducing it. Agreed. > Ciao, Marcus - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPu86EAAoJEBYNRVNeJnmTrikP/i4H7U6RE9rL+a07wgBWZuIj Q1qGp68i5hGBKXWOEQkZTLBVlbfkZL5DscNqBEhG2PBcvgoApuSvSsJ1goH7oDo0 DkTIp/C9zd889gRF8hyflvhTIsgNaPr05pVGCNNuLgoBmvYnp1+XGLi7DIjjLg/A 7P6C+TqKoQraaXaeiwc0EcHWYLIXYgyrFpnqcIJ76NzbXPiVhINQbsqXujj1D3iz YqEGTRKNgXTos05MvsR8rxVG2wYHjG/eq2tD8ADb37xs9TRF8dDzv69FNWIf5dem pARCnSimWZtOApY9Mj+TRh/zeUJ03RfxlR8fPzpi4q8Wcf7CITkocol9G/0MN2HL XoYdttpEaie2PT4MVj4MnL5GjMJeAV3LCN3he56BqxgcqSJXFpbiOk69Ez854zOb RmG3go7wC4hrz5V5i5d2rpAp3fuCOWXXhNdP+59oma5MvfF3qPqhj/vhwM5rjs8i 4COD7i3EgdgcazDLrYyavUnYSItw6H5gL5VdI6mMVmUkW9zjyrFwxTmmMi/IcuIa 6GZL/J8RG3JbFsOISA/ROP4e65Kdn6ifYaagKc9WFiv72VA9+e5GdlX6mzS+9PDj O1v3syrSY7FUdRyntYpOFYUWXPU3ozMyeIXBvx2hLFwgB1zJd1HlpAYnB433kVUY JjTHecw7ObVI8FTW9Qhr =RD91 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ