diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-11-10 22:45:58 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-11-10 22:45:58 +0000 |
commit | fb14949a97ba5152b323505b5ddb887c22a6b066 (patch) | |
tree | b923858c2285e2642421966a43cadf5a21194e93 | |
parent | 49c95b56da9685e43a6c6e53c32eef0fd40432f7 (diff) | |
download | kernel_replicant_linux-fb14949a97ba5152b323505b5ddb887c22a6b066.tar.gz kernel_replicant_linux-fb14949a97ba5152b323505b5ddb887c22a6b066.tar.bz2 kernel_replicant_linux-fb14949a97ba5152b323505b5ddb887c22a6b066.zip |
[x86] drm/i915/cmdparser: Fix jump whitelist clearing
Fix a flaw I found in the mitigation for CVE-2019-0155.
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch | 44 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 46 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index dc9728d4b9f2..2d4f4bf2d9e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -34,6 +34,7 @@ linux (5.3.9-2) UNRELEASED; urgency=medium - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching + - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA diff --git a/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch b/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch new file mode 100644 index 000000000000..210c58c190c5 --- /dev/null +++ b/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch @@ -0,0 +1,44 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 10 Nov 2019 22:08:12 +0000 +Subject: drm/i915/cmdparser: Fix jump whitelist clearing +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155 + +When a jump_whitelist bitmap is reused, it needs to be cleared. +Currently this is done with memset() and the size calculation assumes +bitmaps are made of 32-bit words, not longs. So on 64-bit +architectures, only the first half of the bitmap is cleared. + +If some whitelist bits are carried over between successive batches +submitted on the same context, this will presumably allow embedding +the rogue instructions that we're trying to reject. + +Use bitmap_zero() instead, which gets the calculation right. + +Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps") +Cc: stable@vger.kernel.org +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/i915/i915_cmd_parser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_cmd_parser.c ++++ b/drivers/gpu/drm/i915/i915_cmd_parser.c +@@ -1374,7 +1374,7 @@ static void init_whitelist(struct i915_g + return; + + if (batch_cmds <= ctx->jump_whitelist_cmds) { +- memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32)); ++ bitmap_zero(ctx->jump_whitelist, batch_cmds); + return; + } + +@@ -1394,8 +1394,7 @@ again: + } + + DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n"); +- memset(ctx->jump_whitelist, 0, +- BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32)); ++ bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds); + + return; + } diff --git a/debian/patches/series b/debian/patches/series index 320b83bbecb8..3bb02d7ace62 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -171,6 +171,7 @@ bugfix/x86/i915/0009-drm-i915-cmdparser-Add-support-for-backward-jumps.patch bugfix/x86/i915/0010-drm-i915-cmdparser-Ignore-Length-operands-during-com.patch bugfix/x86/i915/0011-drm-i915-Lower-RM-timeout-to-avoid-DSI-hard-hangs.patch bugfix/x86/i915/0012-drm-i915-gen8-Add-RC6-CTX-corruption-WA.patch +bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |