From: Takashi Iwai <tiwai@suse.de>
Subject: drm/i915: Add missing access_ok() checks
Patch-mainline: Never, SLE15 only
References: CVE-2018-20669, bsc#1122971
This is a partial backport of the upstream commit 594cc251fdd0
("make 'user_access_begin()' do 'access_ok()'").
Essentially we add the missing access_ok() checks to the two known
places in drm/i915 that were reported in the CVE above.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1567,6 +1567,8 @@ static int eb_copy_relocations(const str
* happened we would make the mistake of assuming that the
* relocations were valid.
*/
+ if (unlikely(!access_ok(VERIFY_WRITE, urelocs, size)))
+ goto end_user;
user_access_begin();
for (copied = 0; copied < nreloc; copied++)
unsafe_put_user(-1,
@@ -2621,6 +2623,17 @@ i915_gem_execbuffer2(struct drm_device *
unsigned int i;
/* Copy the new buffer offsets back to the user's exec list. */
+ /*
+ * Note: count * sizeof(*user_exec_list) does not overflow,
+ * because we checked 'count' in check_buffer_count().
+ *
+ * And this range already got effectively checked earlier
+ * when we did the "copy_from_user()" above.
+ */
+ if (unlikely(!access_ok(VERIFY_WRITE, user_exec_list,
+ count * sizeof(*user_exec_list))))
+ goto end_user;
+
user_access_begin();
for (i = 0; i < args->buffer_count; i++) {
if (!(exec2_list[i].offset & UPDATE))