Linux Kernel i915 driver in the Direct Rendering Manager Integer Overflow

2013.03.21
Credit: Kees Cook
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-189


Ogólna skala CVSS: 7.2/10
Znaczenie: 10/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. Signed-off-by: Kees Cook Reported-by: Pinkie Pie --- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 752e399..62eaa99 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -585,7 +585,8 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, struct drm_i915_gem_object *obj; bool need_relocs; int *reloc_offset; - int i, total, ret; + int ret; + unsigned int i, total; int count = args->buffer_count; /* We may process another execbuffer during the unlock... */ @@ -600,8 +601,13 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, mutex_unlock(&dev->struct_mutex); total = 0; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (exec[i].relocation_count > UINT_MAX - total) { + mutex_lock(&dev->struct_mutex); + return -ENOMEM; + } total += exec[i].relocation_count; + } reloc_offset = drm_malloc_ab(count, sizeof(*reloc_offset)); reloc = drm_malloc_ab(total, sizeof(*reloc)); -- 1.7.9.5 -- Kees Cook Chrome OS Security

Referencje:

https://lkml.org/lkml/2013/3/11/501
https://gerrit.chromium.org/gerrit/45118
https://code.google.com/p/chromium-os/issues/detail?id=39733
http://openwall.com/lists/oss-security/2013/03/14/22
http://openwall.com/lists/oss-security/2013/03/13/9
http://openwall.com/lists/oss-security/2013/03/11/6
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update-for-chrome-os_15.html
http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git;a=commit;h=c79efdf2b7f68f985922a8272d64269ecd490477


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top