[kernel] r9284 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Tue, 07 Aug 2007 15:06:37 -0700 

Author: dannf
Date: Tue Aug  7 22:06:33 2007
New Revision: 9284

Log:
  [SECURITY] Fix remotely triggerable NULL pointer dereference
* bugfix/i965-secure-batchbuffer.patch
  [SECURITY] Fix i965 secured batchbuffer usage
  See CVE-2007-3851

Added:
   
dists/etch-security/linux-2.6/debian/patches/bugfix/i965-secure-batchbuffer.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog      (original)
+++ dists/etch-security/linux-2.6/debian/changelog      Tue Aug  7 22:06:33 2007
@@ -27,10 +27,13 @@
     extraction that resulted in slightly less random numbers.
     See CVE-2007-2453
   * bugfix/nf_conntrack_sctp-null-deref.patch
-    [SECURITY] Fix remotely triggerable NULL pointer dereference 
+    [SECURITY] Fix remotely triggerable NULL pointer dereference
     by sending an unknown chunk type.
+  * bugfix/i965-secure-batchbuffer.patch
+    [SECURITY] Fix i965 secured batchbuffer usage
+    See CVE-2007-3851
 
- -- dann frazier <[EMAIL PROTECTED]>  Sun, 15 Jul 2007 14:01:50 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Tue,  7 Aug 2007 16:04:41 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
 

Added: 
dists/etch-security/linux-2.6/debian/patches/bugfix/i965-secure-batchbuffer.patch
==============================================================================
--- (empty file)
+++ 
dists/etch-security/linux-2.6/debian/patches/bugfix/i965-secure-batchbuffer.patch
   Tue Aug  7 22:06:33 2007
@@ -0,0 +1,67 @@
+From: Dave Airlie <[EMAIL PROTECTED]>
+Date: Mon, 6 Aug 2007 23:09:51 +0000 (+1000)
+Subject: drm/i915: Fix i965 secured batchbuffer usage
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=21f16289270447673a7263ccc0b22d562fb01ecb
+
+drm/i915: Fix i965 secured batchbuffer usage
+
+This 965G and above chipsets moved the batch buffer non-secure bits to
+another place. This means that previous drm's allowed in-secure batchbuffers
+to be submitted to the hardware from non-privileged users who are logged
+into X and and have access to direct rendering.
+
+Signed-off-by: Dave Airlie <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+diff --git a/drivers/char/drm/i915_dma.c b/drivers/char/drm/i915_dma.c
+index 3359cc2..8e7d713 100644
+--- a/drivers/char/drm/i915_dma.c
++++ b/drivers/char/drm/i915_dma.c
+@@ -184,6 +184,8 @@ static int i915_initialize(struct drm_device * dev,
+        * private backbuffer/depthbuffer usage.
+        */
+       dev_priv->use_mi_batchbuffer_start = 0;
++      if (IS_I965G(dev)) /* 965 doesn't support older method */
++              dev_priv->use_mi_batchbuffer_start = 1;
+ 
+       /* Allow hardware batchbuffers unless told otherwise.
+        */
+@@ -517,8 +519,13 @@ static int i915_dispatch_batchbuffer(struct drm_device * 
dev,
+ 
+               if (dev_priv->use_mi_batchbuffer_start) {
+                       BEGIN_LP_RING(2);
+-                      OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
+-                      OUT_RING(batch->start | MI_BATCH_NON_SECURE);
++                      if (IS_I965G(dev)) {
++                              OUT_RING(MI_BATCH_BUFFER_START | (2 << 6) | 
MI_BATCH_NON_SECURE_I965);
++                              OUT_RING(batch->start);
++                      } else {
++                              OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
++                              OUT_RING(batch->start | MI_BATCH_NON_SECURE);
++                      }
+                       ADVANCE_LP_RING();
+               } else {
+                       BEGIN_LP_RING(4);
+@@ -735,7 +742,8 @@ static int i915_setparam(DRM_IOCTL_ARGS)
+ 
+       switch (param.param) {
+       case I915_SETPARAM_USE_MI_BATCHBUFFER_START:
+-              dev_priv->use_mi_batchbuffer_start = param.value;
++              if (!IS_I965G(dev))
++                      dev_priv->use_mi_batchbuffer_start = param.value;
+               break;
+       case I915_SETPARAM_TEX_LRU_LOG_GRANULARITY:
+               dev_priv->tex_lru_log_granularity = param.value;
+diff --git a/drivers/char/drm/i915_drv.h b/drivers/char/drm/i915_drv.h
+index fd91856..737088b 100644
+--- a/drivers/char/drm/i915_drv.h
++++ b/drivers/char/drm/i915_drv.h
+@@ -282,6 +282,7 @@ extern int i915_wait_ring(struct drm_device * dev, int n, 
const char *caller);
+ #define MI_BATCH_BUFFER_START         (0x31<<23)
+ #define MI_BATCH_BUFFER_END   (0xA<<23)
+ #define MI_BATCH_NON_SECURE   (1)
++#define MI_BATCH_NON_SECURE_I965 (1<<8)
+ 
+ #define MI_WAIT_FOR_EVENT       ((0x3<<23))
+ #define MI_WAIT_FOR_PLANE_A_FLIP      (1<<2)

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1 Tue Aug  7 
22:06:33 2007
@@ -8,3 +8,4 @@
 + bugfix/random-fix-seeding-with-zero-entropy.patch
 + bugfix/random-fix-error-in-entropy-extraction.patch
 + bugfix/nf_conntrack_sctp-null-deref.patch
++ bugfix/i965-secure-batchbuffer.patch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to