linux/drivers/char/agp
Vasiliy Kulikov 194b3da873 agp: fix arbitrary kernel memory writes
pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-04-21 12:16:55 +10:00
..
agp.h Fix common misspellings 2011-03-31 11:26:23 -03:00
ali-agp.c agp: use scratch page on memory remove and at GATT creation V4 2010-04-23 13:59:18 +10:00
alpha-agp.c const: mark struct vm_struct_operations 2009-09-27 11:39:25 -07:00
amd64-agp.c amd64-agp: fix crash at second module load 2011-02-23 18:29:17 +10:00
amd-k7-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00
ati-agp.c agp: use scratch page on memory remove and at GATT creation V4 2010-04-23 13:59:18 +10:00
backend.c agp: kill agp_(map|unmap)_page 2010-09-21 11:36:11 +01:00
compat_ioctl.c agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23 20:14:45 +00:00
compat_ioctl.h agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23 20:14:45 +00:00
efficeon-agp.c agp: efficeon-agp: do not use PCI resources before pci_enable_device() 2010-08-05 12:28:21 +10:00
frontend.c agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23 20:14:45 +00:00
generic.c agp: fix arbitrary kernel memory writes 2011-04-21 12:16:55 +10:00
hp-agp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
i460-agp.c Update broken web addresses in the kernel. 2010-10-18 11:03:14 +02:00
intel-agp.c agp: ensure GART has an address before enabling it 2011-02-04 09:43:57 +10:00
intel-agp.h agp/intel: Experiment with a 855GM GWB bit 2011-02-22 15:52:41 +00:00
intel-gtt.c agp/intel: Experiment with a 855GM GWB bit 2011-02-22 15:52:41 +00:00
isoch.c agp: use dev_printk when possible 2008-08-12 10:13:38 +10:00
Kconfig Revert "agp: AMD AGP is used on UP1100 & UP1500 alpha boxen" 2011-02-04 09:42:25 +10:00
Makefile agp/intel: make intel-gtt.c into a real source file 2010-09-08 21:20:06 +01:00
nvidia-agp.c agp: use scratch page on memory remove and at GATT creation V4 2010-04-23 13:59:18 +10:00
parisc-agp.c parisc-agp: fix missing slab.h include 2010-10-29 13:26:48 -04:00
sgi-agp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sis-agp.c sis-agp: Remove SIS 760, handled by amd64-agp 2010-05-19 10:11:23 +10:00
sworks-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00
uninorth-agp.c agp/uninorth: Fix oops caused by flushing too much 2010-06-02 17:50:37 +10:00
via-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00