linux

History

Kees Cook 2dc705a993 fbdev: color map copying bounds checking Copying color maps to userspace doesn't check the value of to->start, which will cause kernel heap buffer OOB read due to signedness wraps. CVE-2016-8405 Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast Fixes: `1da177e4c3` ("Linux-2.6.12-rc2") Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Peter Pi (@heisecode) of Trend Micro Cc: Min Chong <mchong@google.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: Tomi Valkeinen <tomi.valkeinen@ti.com> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>		2017-01-24 16:26:14 -08:00
..
cfbcopyarea.c	framebuffer: fix screen corruption when copying	2014-09-30 13:39:50 +03:00
cfbfillrect.c
cfbimgblt.c
fb_cmdline.c	video/fbdev: Always built-in video= cmdline parsing	2014-08-06 14:50:02 +02:00
fb_ddc.c	fb_ddc: Allow I2C adapters without SCL read capability	2015-09-30 10:46:55 +03:00
fb_defio.c	fbdev: fb_defio: Export fb_deferred_io_mmap	2016-05-02 16:24:49 +02:00
fb_draw.h
fb_notify.c
fb_sys_fops.c
fbcmap.c	fbdev: color map copying bounds checking	2017-01-24 16:26:14 -08:00
fbcvt.c	fbdev: fix CVT vertical front and back porch values	2015-01-27 13:35:37 +02:00
fbmem.c	fbdev: fbmem: implement error handling in fbmem_init()	2016-05-10 11:58:29 +03:00
fbmon.c	fbmon: remove unused function argument	2016-07-26 16:19:19 -07:00
fbsysfs.c	fbdev: fix snprintf() limit in show_bl_curve()	2015-09-01 13:52:23 +03:00
Makefile	fbdev: Make fb-notify a no-op if CONFIG_FB=n	2015-12-15 15:41:24 +02:00
modedb.c	fbdev: fix cea_modes array size	2015-08-20 10:20:11 +03:00
svgalib.c
syscopyarea.c	video: fbdev: fix sys_copyarea	2015-01-30 09:46:59 +02:00
sysfillrect.c
sysimgblt.c