Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 25949 Details for
Bug 42024
Linux kernel do_mremap VMA limit local privilege escalation vulnerability
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check limits in R128 DRI drivers. (CAN-2004-0003)
r128-CAN-2004-0003.patch (text/plain), 1.73 KB, created by
antiher0
on 2004-02-19 14:16:34 UTC
(
hide
)
Description:
Check limits in R128 DRI drivers. (CAN-2004-0003)
Filename:
MIME Type:
Creator:
antiher0
Created:
2004-02-19 14:16:34 UTC
Size:
1.73 KB
patch
obsolete
>--- linux/drivers/char/drm/r128_state.c 2004-02-19 12:46:36.000000000 -0600 >+++ linux/drivers/char/drm/r128_state.c 2004-02-19 12:52:25.000000000 -0600 >@@ -25,6 +25,8 @@ > * > * Authors: > * Gareth Hughes <gareth@valinux.com> >+ * >+ * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com> > */ > > #include "r128.h" >@@ -901,6 +903,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; >+ >+ if( count > 4096 ) >+ return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } >@@ -995,6 +1000,9 @@ > > count = depth->n; > >+ if( count > 4096 ) >+ return -EMSGSIZE; >+ > x = kmalloc( count * sizeof(*x), GFP_KERNEL ); > if ( x == NULL ) { > return -ENOMEM; >@@ -1109,6 +1117,9 @@ > DRM_DEBUG( "%s\n", __FUNCTION__ ); > > count = depth->n; >+ >+ if ( count > 4096 ) >+ return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } >--- linux/drivers/char/drm-4.0/r128_state.c 2004-02-19 13:02:56.000000000 -0600 >+++ linux/drivers/char/drm-4.0/r128_state.c 2004-02-19 13:19:12.000000000 -0600 >@@ -26,6 +26,7 @@ > * Authors: > * Gareth Hughes <gareth@valinux.com> > * >+ * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com> > */ > > #define __NO_VERSION__ >@@ -938,6 +939,9 @@ > } > > count = depth->n; >+ >+ if( count > 4096 ) >+ return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > } >@@ -1048,6 +1052,9 @@ > > count = depth->n; > >+ if( count > 4096 ) >+ return -EMSGSIZE; >+ > x = kmalloc( count * sizeof(*x), 0 ); > if ( x == NULL ) { > return -ENOMEM; >@@ -1178,6 +1185,9 @@ > } > > count = depth->n; >+ >+ if ( count > 4096 ) >+ return -EMSGSIZE; > if ( copy_from_user( &x, depth->x, sizeof(x) ) ) { > return -EFAULT; > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 42024
:
25878
|
25879
| 25949 |
25950
|
26198