[x86] drm/i915/cmdparser: Fix jump whitelist clearing

Fix a flaw I found in the mitigation for CVE-2019-0155.

3 files changed, 46 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index dc9728d4b9f2..2d4f4bf2d9e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,7 @@ linux (5.3.9-2) UNRELEASED; urgency=medium
     - drm/i915/cmdparser: Use explicit goto for error paths
     - drm/i915/cmdparser: Add support for backward jumps
     - drm/i915/cmdparser: Ignore Length operands during command matching
+    - drm/i915/cmdparser: Fix jump whitelist clearing
   * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
     - drm/i915: Lower RM timeout to avoid DSI hard hangs
     - drm/i915/gen8+: Add RC6 CTX corruption WA
diff --git a/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch b/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
new file mode 100644
index 000000000000..210c58c190c5
--- /dev/null
+++ b/debian/patches/bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
@@ -0,0 +1,44 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 10 Nov 2019 22:08:12 +0000
+Subject: drm/i915/cmdparser: Fix jump whitelist clearing
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0155
+
+When a jump_whitelist bitmap is reused, it needs to be cleared.
+Currently this is done with memset() and the size calculation assumes
+bitmaps are made of 32-bit words, not longs.  So on 64-bit
+architectures, only the first half of the bitmap is cleared.
+
+If some whitelist bits are carried over between successive batches
+submitted on the same context, this will presumably allow embedding
+the rogue instructions that we're trying to reject.
+
+Use bitmap_zero() instead, which gets the calculation right.
+
+Fixes: f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/i915/i915_cmd_parser.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_cmd_parser.c
++++ b/drivers/gpu/drm/i915/i915_cmd_parser.c
+@@ -1374,7 +1374,7 @@ static void init_whitelist(struct i915_g
+ 		return;
+ 
+ 	if (batch_cmds <= ctx->jump_whitelist_cmds) {
+-		memset(ctx->jump_whitelist, 0, exact_size * sizeof(u32));
++		bitmap_zero(ctx->jump_whitelist, batch_cmds);
+ 		return;
+ 	}
+ 
+@@ -1394,8 +1394,7 @@ again:
+ 	}
+ 
+ 	DRM_DEBUG("CMD: Failed to extend whitelist. BB_START may be disallowed\n");
+-	memset(ctx->jump_whitelist, 0,
+-	       BITS_TO_LONGS(ctx->jump_whitelist_cmds) * sizeof(u32));
++	bitmap_zero(ctx->jump_whitelist, ctx->jump_whitelist_cmds);
+ 
+ 	return;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 320b83bbecb8..3bb02d7ace62 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -171,6 +171,7 @@ bugfix/x86/i915/0009-drm-i915-cmdparser-Add-support-for-backward-jumps.patch
 bugfix/x86/i915/0010-drm-i915-cmdparser-Ignore-Length-operands-during-com.patch
 bugfix/x86/i915/0011-drm-i915-Lower-RM-timeout-to-avoid-DSI-hard-hangs.patch
 bugfix/x86/i915/0012-drm-i915-gen8-Add-RC6-CTX-corruption-WA.patch
+bugfix/x86/i915/drm-i915-cmdparser-fix-jump-whitelist-clearing.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch