From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 6 Nov 2017 07:56:59 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.80~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed4913e8c567495d5dce17db712316eccfcd79ab;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	drm-msm-fix-an-integer-overflow-test.patch
	drm-msm-fix-potential-buffer-overflow-issue.patch
---

diff --git a/queue-4.9/drm-msm-fix-an-integer-overflow-test.patch b/queue-4.9/drm-msm-fix-an-integer-overflow-test.patch
new file mode 100644
index 00000000000..4efaacbd9e3
--- /dev/null
+++ b/queue-4.9/drm-msm-fix-an-integer-overflow-test.patch
@@ -0,0 +1,42 @@
+From 65e93108891e571f177c202add9288eda9ac4100 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 30 Jun 2017 10:59:15 +0300
+Subject: drm/msm: fix an integer overflow test
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 65e93108891e571f177c202add9288eda9ac4100 upstream.
+
+We recently added an integer overflow check but it needs an additional
+tweak to work properly on 32 bit systems.
+
+The problem is that we're doing the right hand side of the assignment as
+type unsigned long so the max it will have an integer overflow instead
+of being larger than SIZE_MAX.  That means the "sz > SIZE_MAX" condition
+is never true even on 32 bit systems.  We need to first cast it to u64
+and then do the math.
+
+Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -34,8 +34,8 @@ static struct msm_gem_submit *submit_cre
+ 		struct msm_gpu *gpu, uint32_t nr_bos, uint32_t nr_cmds)
+ {
+ 	struct msm_gem_submit *submit;
+-	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
+-		(nr_cmds * sizeof(submit->cmd[0]));
++	uint64_t sz = sizeof(*submit) + ((u64)nr_bos * sizeof(submit->bos[0])) +
++		((u64)nr_cmds * sizeof(submit->cmd[0]));
+ 
+ 	if (sz > SIZE_MAX)
+ 		return NULL;
diff --git a/queue-4.9/drm-msm-fix-potential-buffer-overflow-issue.patch b/queue-4.9/drm-msm-fix-potential-buffer-overflow-issue.patch
new file mode 100644
index 00000000000..de5a1a73c33
--- /dev/null
+++ b/queue-4.9/drm-msm-fix-potential-buffer-overflow-issue.patch
@@ -0,0 +1,43 @@
+From 4a630fadbb29d9efaedb525f1a8f7449ad107641 Mon Sep 17 00:00:00 2001
+From: Kasin Li <donglil@codeaurora.org>
+Date: Mon, 19 Jun 2017 15:36:53 -0600
+Subject: drm/msm: Fix potential buffer overflow issue
+
+From: Kasin Li <donglil@codeaurora.org>
+
+commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream.
+
+In function submit_create, if nr_cmds or nr_bos is assigned with
+negative value, the allocated buffer may be small than intended.
+Using this buffer will lead to buffer overflow issue.
+
+Signed-off-by: Kasin Li <donglil@codeaurora.org>
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -31,11 +31,14 @@
+ #define BO_PINNED   0x2000
+ 
+ static struct msm_gem_submit *submit_create(struct drm_device *dev,
+-		struct msm_gpu *gpu, int nr_bos, int nr_cmds)
++		struct msm_gpu *gpu, uint32_t nr_bos, uint32_t nr_cmds)
+ {
+ 	struct msm_gem_submit *submit;
+-	int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
+-			(nr_cmds * sizeof(*submit->cmd));
++	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
++		(nr_cmds * sizeof(submit->cmd[0]));
++
++	if (sz > SIZE_MAX)
++		return NULL;
+ 
+ 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
+ 	if (!submit)
diff --git a/queue-4.9/series b/queue-4.9/series
index d46560a717f..b4c0dc86251 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -11,3 +11,5 @@ arm-8715-1-add-a-private-asm-unaligned.h.patch
 drm-amdgpu-return-enoent-from-uvd-6.0-early-init-for-harvesting.patch
 ocfs2-fstrim-fix-start-offset-of-first-cluster-group-during-fstrim.patch
 drm-i915-edp-read-edp-display-control-registers-unconditionally.patch
+drm-msm-fix-potential-buffer-overflow-issue.patch
+drm-msm-fix-an-integer-overflow-test.patch