Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 25950 Details for
Bug 42024
Linux kernel do_mremap VMA limit local privilege escalation vulnerability
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix user/kernel copying in DRI GAMMA driver.
drm-gamma-redhat.patch (text/plain), 5.32 KB, created by
antiher0
on 2004-02-19 14:17:02 UTC
(
hide
)
Description:
Fix user/kernel copying in DRI GAMMA driver.
Filename:
MIME Type:
Creator:
antiher0
Created:
2004-02-19 14:17:02 UTC
Size:
5.32 KB
patch
obsolete
>--- linux/drivers/char/drm/gamma_dma.c 2004-02-19 13:31:16.000000000 -0600 >+++ linux/drivers/char/drm/gamma_dma.c 2004-02-19 14:04:46.000000000 -0600 >@@ -352,6 +352,8 @@ > drm_buf_t *buf; > drm_buf_t *last_buf = NULL; > drm_device_dma_t *dma = dev->dma; >+ int *drm_send_indices = NULL; >+ int *drm_send_sizes = NULL; > DECLARE_WAITQUEUE(entry, current); > > /* Turn off interrupt handling */ >@@ -371,11 +373,27 @@ > ++must_free; > } > >+ drm_send_indices = kmalloc (d->send_count * sizeof(*drm_send_indices), GFP_KERNEL); >+ drm_send_sizes = kmalloc (d->send_count * sizeof(*drm_send_sizes), GFP_KERNEL); >+ if (! drm_send_indices || ! drm_send_sizes) >+ { >+ retcode = -ENOMEM; >+ goto cleanup; >+ } >+ if (copy_from_user(drm_send_indices, d->send_indices, >+ d->send_count * sizeof(*drm_send_indices)) || >+ copy_from_user(drm_send_sizes, d->send_sizes, >+ d->send_count * sizeof(*drm_send_sizes))) >+ { >+ retcode = -EFAULT; >+ goto cleanup; >+ } >+ > for (i = 0; i < d->send_count; i++) { >- idx = d->send_indices[i]; >+ idx = drm_send_indices[i]; > if (idx < 0 || idx >= dma->buf_count) { > DRM_ERROR("Index %d (of %d max)\n", >- d->send_indices[i], dma->buf_count - 1); >+ drm_send_indices[i], dma->buf_count - 1); > continue; > } > buf = dma->buflist[ idx ]; >@@ -397,7 +415,7 @@ > process closes the /dev/drm? handle, so > it can't also be doing DMA. */ > buf->list = DRM_LIST_PRIO; >- buf->used = d->send_sizes[i]; >+ buf->used = drm_send_sizes[i]; > buf->context = d->context; > buf->while_locked = d->flags & _DRM_DMA_WHILE_LOCKED; > address = (unsigned long)buf->address; >@@ -408,14 +426,14 @@ > if (buf->pending) { > DRM_ERROR("Sending pending buffer:" > " buffer %d, offset %d\n", >- d->send_indices[i], i); >+ drm_send_indices[i], i); > retcode = -EINVAL; > goto cleanup; > } > if (buf->waiting) { > DRM_ERROR("Sending waiting buffer:" > " buffer %d, offset %d\n", >- d->send_indices[i], i); >+ drm_send_indices[i], i); > retcode = -EINVAL; > goto cleanup; > } >@@ -464,6 +482,10 @@ > > > cleanup: >+ if (drm_send_indices) >+ kfree(drm_send_indices); >+ if (drm_send_sizes) >+ kfree(drm_send_sizes); > if (last_buf) { > gamma_dma_ready(dev); > gamma_free_buffer(dev, last_buf); >@@ -487,7 +509,11 @@ > drm_device_dma_t *dma = dev->dma; > > if (d->flags & _DRM_DMA_BLOCK) { >- last_buf = dma->buflist[d->send_indices[d->send_count-1]]; >+ int lastindex; >+ if (copy_from_user(&lastindex, &d->send_indices[d->send_count-1], >+ sizeof(lastindex))) >+ return -EFAULT; >+ last_buf = dma->buflist[lastindex]; > add_wait_queue(&last_buf->dma_wait, &entry); > } > >--- linux/drivers/char/drm-4.0/gamma_dma.c 2004-02-19 14:07:41.000000000 -0600 >+++ linux/drivers/char/drm-4.0/gamma_dma.c 2004-02-19 14:50:41.000000000 -0600 >@@ -392,6 +392,8 @@ > drm_buf_t *buf; > drm_buf_t *last_buf = NULL; > drm_device_dma_t *dma = dev->dma; >+ int *drm_send_indices = NULL; >+ int *drm_send_sizes = NULL; > DECLARE_WAITQUEUE(entry, current); > > /* Turn off interrupt handling */ >@@ -412,11 +414,27 @@ > } > atomic_inc(&dma->total_prio); > >+ drm_send_indices = kmalloc (d->send_count * sizeof(*drm_send_indices), GFP_KERNEL); >+ drm_send_sizes = kmalloc (d->send_count * sizeof(*drm_send_sizes), GFP_KERNEL); >+ if (! drm_send_indices || ! drm_send_sizes) >+ { >+ retcode = -ENOMEM; >+ goto cleanup; >+ } >+ if (copy_from_user(drm_send_indices, d->send_indices, >+ d->send_count * sizeof(*drm_send_indices)) || >+ copy_from_user(drm_send_sizes, d->send_sizes, >+ d->send_count * sizeof(*drm_send_sizes))) >+ { >+ retcode = -EFAULT; >+ goto cleanup; >+ } >+ > for (i = 0; i < d->send_count; i++) { >- idx = d->send_indices[i]; >+ idx = drm_send_indices[i]; > if (idx < 0 || idx >= dma->buf_count) { > DRM_ERROR("Index %d (of %d max)\n", >- d->send_indices[i], dma->buf_count - 1); >+ drm_send_indices[i], dma->buf_count - 1); > continue; > } > buf = dma->buflist[ idx ]; >@@ -438,7 +456,7 @@ > process closes the /dev/drm? handle, so > it can't also be doing DMA. */ > buf->list = DRM_LIST_PRIO; >- buf->used = d->send_sizes[i]; >+ buf->used = drm_send_sizes[i]; > buf->context = d->context; > buf->while_locked = d->flags & _DRM_DMA_WHILE_LOCKED; > address = (unsigned long)buf->address; >@@ -449,14 +467,14 @@ > if (buf->pending) { > DRM_ERROR("Sending pending buffer:" > " buffer %d, offset %d\n", >- d->send_indices[i], i); >+ drm_send_indices[i], i); > retcode = -EINVAL; > goto cleanup; > } > if (buf->waiting) { > DRM_ERROR("Sending waiting buffer:" > " buffer %d, offset %d\n", >- d->send_indices[i], i); >+ drm_send_indices[i], i); > retcode = -EINVAL; > goto cleanup; > } >@@ -505,6 +523,10 @@ > > > cleanup: >+ if (drm_send_indices) >+ kfree(drm_send_indices); >+ if (drm_send_sizes) >+ kfree(drm_send_sizes); > if (last_buf) { > gamma_dma_ready(dev); > drm_free_buffer(dev, last_buf); >@@ -528,7 +550,11 @@ > drm_device_dma_t *dma = dev->dma; > > if (d->flags & _DRM_DMA_BLOCK) { >- last_buf = dma->buflist[d->send_indices[d->send_count-1]]; >+ int lastindex; >+ if (copy_from_user(&lastindex, &d->send_indices[d->send_count-1], >+ sizeof(lastindex))) >+ return -EFAULT; >+ last_buf = dma->buflist[lastindex]; > add_wait_queue(&last_buf->dma_wait, &entry); > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 42024
:
25878
|
25879
|
25949
| 25950 |
26198