Date: Tue, 9 Mar 2004 16:20:39 +0000
From: Dave Jones <davej@redhat.com>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
       dri-devel@lists.sourceforge.net
Subject: [SECURITY] CAN-2004-0003 R128 DRI limits checking.
Message-ID: <20040309162039.GC28660@redhat.com>
Mail-Followup-To: Dave Jones <davej@redhat.com>,
	Linus Torvalds <torvalds@osdl.org>,
	Linux Kernel <linux-kernel@vger.kernel.org>, dri-devel@lists.sf.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1365
Lines: 51

This got fixed in 2.4, but somehow got missed in 2.6.
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0003 has more info.

		Dave

--- linux-2.6.3/drivers/char/drm/r128_state.c~	2004-03-09 16:12:59.000000000 +0000
+++ linux-2.6.3/drivers/char/drm/r128_state.c	2004-03-09 16:13:42.000000000 +0000
@@ -915,6 +915,9 @@
 	DRM_DEBUG( "\n" );
 
 	count = depth->n;
+	if (count > 4096 || count <= 0)
+		return -EMSGSIZE;
+
 	if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
 		return DRM_ERR(EFAULT);
 	}
@@ -1008,6 +1011,8 @@
 	DRM_DEBUG( "\n" );
 
 	count = depth->n;
+	if (count > 4096  || count <= 0)
+		return -EMSGSIZE;
 
 	xbuf_size = count * sizeof(*x);
 	ybuf_size = count * sizeof(*y);
@@ -1125,6 +1130,9 @@
 	DRM_DEBUG( "\n" );
 
 	count = depth->n;
+	if (count > 4096 || count <= 0)
+		return -EMSGSIZE;
+
 	if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
 		return DRM_ERR(EFAULT);
 	}
@@ -1167,6 +1175,9 @@
 	DRM_DEBUG( "%s\n", __FUNCTION__ );
 
 	count = depth->n;
+	if (count > 4096 || count <= 0)
+		return -EMSGSIZE;
+
 	if ( count > dev_priv->depth_pitch ) {
 		count = dev_priv->depth_pitch;
 	}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/