[SECURITY] CAN-2004-0003 R128 DRI limits checking.

From: Dave Jones
Date: Tue Mar 09 2004 - 11:24:56 EST

Next message: Andrea Arcangeli: "Re: objrmap-core-1 (rmap removal for file mappings to avoid 4:4 in <=16G machines)"
Previous message: Jeremy Jackson: "Re: [PATCH] 2.6.x BSD Process Accounting w/High UID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This got fixed in 2.4, but somehow got missed in 2.6.
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0003 has more info.

Dave

--- linux-2.6.3/drivers/char/drm/r128_state.c~ 2004-03-09 16:12:59.000000000 +0000
+++ linux-2.6.3/drivers/char/drm/r128_state.c 2004-03-09 16:13:42.000000000 +0000
@@ -915,6 +915,9 @@
DRM_DEBUG( "\n" );

count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
+
if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
return DRM_ERR(EFAULT);
}
@@ -1008,6 +1011,8 @@
DRM_DEBUG( "\n" );

count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;

xbuf_size = count * sizeof(*x);
ybuf_size = count * sizeof(*y);
@@ -1125,6 +1130,9 @@
DRM_DEBUG( "\n" );

count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
+
if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
return DRM_ERR(EFAULT);
}
@@ -1167,6 +1175,9 @@
DRM_DEBUG( "%s\n", __FUNCTION__ );

count = depth->n;
+ if (count > 4096 || count <= 0)
+ return -EMSGSIZE;
+
if ( count > dev_priv->depth_pitch ) {
count = dev_priv->depth_pitch;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: objrmap-core-1 (rmap removal for file mappings to avoid 4:4 in <=16G machines)"
Previous message: Jeremy Jackson: "Re: [PATCH] 2.6.x BSD Process Accounting w/High UID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]