DivestOS/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch

From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001
From: Kasin Li <donglil@codeaurora.org>
Date: Wed, 22 Feb 2017 18:25:36 +0800
Subject: drm/msm: Fix potential buffer overflow issue

In function submit_create, if nr_cmds or nr_bos is assigned with
negative value, the allocated buffer may be small than intended.
Using this buffer will lead to buffer overflow issue.

Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed
Signed-off-by: Kasin Li <donglil@codeaurora.org>
---
 drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index adbb0cb..fa9b641 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)
 }
 
 static struct msm_gem_submit *submit_create(struct drm_device *dev,
-		struct msm_gpu *gpu, int nr_cmds, int nr_bos)
+		struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)
 {
 	struct msm_gem_submit *submit;
-	int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
+	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
 		(nr_cmds * sizeof(submit->cmd[0]));
 
+	if (sz > SIZE_MAX)
+		return NULL;
+
 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
 	if (submit) {
 		submit->dev = dev;
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001`
			`From: Kasin Li <donglil@codeaurora.org>`
			`Date: Wed, 22 Feb 2017 18:25:36 +0800`
			`Subject: drm/msm: Fix potential buffer overflow issue`

			`In function submit_create, if nr_cmds or nr_bos is assigned with`
			`negative value, the allocated buffer may be small than intended.`
			`Using this buffer will lead to buffer overflow issue.`

			`Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed`
			`Signed-off-by: Kasin Li <donglil@codeaurora.org>`
			`---`
			`drivers/gpu/drm/msm/msm_gem_submit.c \| 7 +++++--`
			`1 file changed, 5 insertions(+), 2 deletions(-)`

			`diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c`
			`index adbb0cb..fa9b641 100644`
			`--- a/drivers/gpu/drm/msm/msm_gem_submit.c`
			`+++ b/drivers/gpu/drm/msm/msm_gem_submit.c`
			`@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)`
			`}`

			`static struct msm_gem_submit submit_create(struct drm_device dev,`
			`- struct msm_gpu *gpu, int nr_cmds, int nr_bos)`
			`+ struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)`
			`{`
			`struct msm_gem_submit *submit;`
			`- int sz = sizeof(submit) + (nr_bos sizeof(submit->bos[0])) +`
			`+ uint64_t sz = sizeof(submit) + (nr_bos sizeof(submit->bos[0])) +`
			`(nr_cmds * sizeof(submit->cmd[0]));`

			`+ if (sz > SIZE_MAX)`
			`+ return NULL;`
			`+`
			`submit = kmalloc(sz, GFP_TEMPORARY \| __GFP_NOWARN \| __GFP_NORETRY);`
			`if (submit) {`
			`submit->dev = dev;`
			`--`
			`cgit v1.1`