leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b522f02184
linux/drivers/char/agp
History
Vasiliy Kulikov b522f02184 agp: fix OOM and buffer overflow 
page_count is copied from userspace.  agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case.  Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-04-21 11:51:04 +10:00
..
agp.h Fix common misspellings 2011-03-31 11:26:23 -03:00
ali-agp.c agp: use scratch page on memory remove and at GATT creation V4 2010-04-23 13:59:18 +10:00
alpha-agp.c const: mark struct vm_struct_operations 2009-09-27 11:39:25 -07:00
amd64-agp.c amd64-agp: fix crash at second module load 2011-02-23 18:29:17 +10:00
amd-k7-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00
ati-agp.c agp: use scratch page on memory remove and at GATT creation V4 2010-04-23 13:59:18 +10:00
backend.c agp: kill agp_(map|unmap)_page 2010-09-21 11:36:11 +01:00
compat_ioctl.c agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23 20:14:45 +00:00
compat_ioctl.h agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23 20:14:45 +00:00
efficeon-agp.c agp: efficeon-agp: do not use PCI resources before pci_enable_device() 2010-08-05 12:28:21 +10:00
frontend.c agp: kill agp_flush_chipset and corresponding ioctl 2010-11-23 20:14:45 +00:00
generic.c agp: fix OOM and buffer overflow 2011-04-21 11:51:04 +10:00
hp-agp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
i460-agp.c Update broken web addresses in the kernel. 2010-10-18 11:03:14 +02:00
intel-agp.c agp: ensure GART has an address before enabling it 2011-02-04 09:43:57 +10:00
intel-agp.h agp/intel: Experiment with a 855GM GWB bit 2011-02-22 15:52:41 +00:00
intel-gtt.c agp/intel: Experiment with a 855GM GWB bit 2011-02-22 15:52:41 +00:00
isoch.c agp: use dev_printk when possible 2008-08-12 10:13:38 +10:00
Kconfig Revert "agp: AMD AGP is used on UP1100 & UP1500 alpha boxen" 2011-02-04 09:42:25 +10:00
Makefile agp/intel: make intel-gtt.c into a real source file 2010-09-08 21:20:06 +01:00
nvidia-agp.c agp: use scratch page on memory remove and at GATT creation V4 2010-04-23 13:59:18 +10:00
parisc-agp.c parisc-agp: fix missing slab.h include 2010-10-29 13:26:48 -04:00
sgi-agp.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sis-agp.c sis-agp: Remove SIS 760, handled by amd64-agp 2010-05-19 10:11:23 +10:00
sworks-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00
uninorth-agp.c agp/uninorth: Fix oops caused by flushing too much 2010-06-02 17:50:37 +10:00
via-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00