From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 1 Aug 2020 13:35:27 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.7.13~47
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f5fea723144e359775be60a7ee8cc4493188900;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
	drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
---

diff --git a/queue-4.9/drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch b/queue-4.9/drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
new file mode 100644
index 00000000000..376d4e1e7c0
--- /dev/null
+++ b/queue-4.9/drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
@@ -0,0 +1,46 @@
+From 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Tue, 28 Jul 2020 15:29:24 -0400
+Subject: drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 upstream.
+
+Compiler leaves a 4-byte hole near the end of `dev_info`, causing
+amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace
+when `size` is greater than 356.
+
+In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which
+unfortunately does not initialize that 4-byte hole. Fix it by using
+memset() instead.
+
+Cc: stable@vger.kernel.org
+Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()")
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -452,8 +452,9 @@ static int amdgpu_info_ioctl(struct drm_
+ 		return n ? -EFAULT : 0;
+ 	}
+ 	case AMDGPU_INFO_DEV_INFO: {
+-		struct drm_amdgpu_info_device dev_info = {};
++		struct drm_amdgpu_info_device dev_info;
+ 
++		memset(&dev_info, 0, sizeof(dev_info));
+ 		dev_info.device_id = dev->pdev->device;
+ 		dev_info.chip_rev = adev->rev_id;
+ 		dev_info.external_rev = adev->external_rev_id;
diff --git a/queue-4.9/drm-hold-gem-reference-until-object-is-no-longer-accessed.patch b/queue-4.9/drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
new file mode 100644
index 00000000000..ed6313e2eb6
--- /dev/null
+++ b/queue-4.9/drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
@@ -0,0 +1,57 @@
+From 8490d6a7e0a0a6fab5c2d82d57a3937306660864 Mon Sep 17 00:00:00 2001
+From: Steve Cohen <cohens@codeaurora.org>
+Date: Mon, 20 Jul 2020 18:30:50 -0400
+Subject: drm: hold gem reference until object is no longer accessed
+
+From: Steve Cohen <cohens@codeaurora.org>
+
+commit 8490d6a7e0a0a6fab5c2d82d57a3937306660864 upstream.
+
+A use-after-free in drm_gem_open_ioctl can happen if the
+GEM object handle is closed between the idr lookup and
+retrieving the size from said object since a local reference
+is not being held at that point. Hold the local reference
+while the object can still be accessed to fix this and
+plug the potential security hole.
+
+Signed-off-by: Steve Cohen <cohens@codeaurora.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/1595284250-31580-1-git-send-email-cohens@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_gem.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem.c
++++ b/drivers/gpu/drm/drm_gem.c
+@@ -694,9 +694,6 @@ err:
+  * @file_priv: drm file-private structure
+  *
+  * Open an object using the global name, returning a handle and the size.
+- *
+- * This handle (of course) holds a reference to the object, so the object
+- * will not go away until the handle is deleted.
+  */
+ int
+ drm_gem_open_ioctl(struct drm_device *dev, void *data,
+@@ -721,14 +718,15 @@ drm_gem_open_ioctl(struct drm_device *de
+ 
+ 	/* drm_gem_handle_create_tail unlocks dev->object_name_lock. */
+ 	ret = drm_gem_handle_create_tail(file_priv, obj, &handle);
+-	drm_gem_object_unreference_unlocked(obj);
+ 	if (ret)
+-		return ret;
++		goto err;
+ 
+ 	args->handle = handle;
+ 	args->size = obj->size;
+ 
+-	return 0;
++err:
++	drm_gem_object_unreference_unlocked(obj);
++	return ret;
+ }
+ 
+ /**
diff --git a/queue-4.9/series b/queue-4.9/series
index 78e470eff89..d12db57bc4e 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -11,3 +11,5 @@ pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch
 arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch
 random32-update-the-net-random-state-on-interrupt-and-activity.patch
 arm-percpu.h-fix-build-error.patch
+drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
+drm-hold-gem-reference-until-object-is-no-longer-accessed.patch