forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Xi Wang fb247af4cc drm/i915: fix integer overflow in i915_gem_execbuffer2() 
commit ed8cd3b2cd upstream.

On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.

This vulnerability was introduced in commit 8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-05-07 08:56:33 -07:00
..
accessibility
acpi ACPICA: Fix to allow region arguments to reference other scopes 2012-04-22 16:21:43 -07:00
amba
ata pata_legacy: correctly mask recovery field for HT6560B 2012-04-02 09:27:13 -07:00
atm
auxdisplay
base PM / Driver core: leave runtime PM enabled during system shutdown 2012-03-19 08:57:44 -07:00
bcma
block cciss: Fix scsi tape io with more than 255 scatter gather elements 2012-04-22 16:21:24 -07:00
bluetooth Bluetooth: Add support for Atheros [04ca:3005] 2012-04-27 09:51:09 -07:00
cdrom cdrom: use copy_to_user() without the underscores 2012-02-29 16:34:35 -08:00
char TPM: Zero buffer after copying to userspace 2011-10-03 11:40:58 -07:00
clk
clocksource
connector
cpufreq powernow-k8: Fix indexing issue 2012-02-13 11:06:13 -08:00
cpuidle
crypto crypto: mv_cesa - fix final callback not ignoring input data 2012-03-12 10:32:56 -07:00
dca
dio
dma dmaengine: at_hdmac: remove clear-on-read in atc_dostart() 2012-05-07 08:56:33 -07:00
edac i7core_edac: fixed typo in error count calculation 2011-08-29 13:29:06 -07:00
eisa
firewire firewire: ohci: fix too-early completion of IR multichannel buffers 2012-04-02 09:27:13 -07:00
firmware ibft: Fix finding IBFT ACPI table on UEFI 2011-12-21 12:57:45 -08:00
gpio gpio/pca953x: Fix warning of enabled interrupts in handler 2012-02-20 12:48:11 -08:00
gpu drm/i915: fix integer overflow in i915_gem_execbuffer2() 2012-05-07 08:56:33 -07:00
hid HID: add more hotkeys in Asus AIO keyboards 2012-04-02 09:27:12 -07:00
hwmon hwmon: (fam15h_power) Fix pci_device_id array 2012-05-07 08:56:33 -07:00
hwspinlock hwspinlock/core: use a mutex to protect the radix tree 2011-11-11 09:36:31 -08:00
i2c i2c-algo-bit: Fix spurious SCL timeouts under heavy load 2012-03-19 08:57:59 -07:00
ide block: add and use scsi_blk_cmd_ioctl 2012-01-25 17:24:54 -08:00
idle intel_idle: fix API misuse 2012-01-25 17:24:56 -08:00
ieee802154
infiniband IB/iser: Post initial receive buffers before sending the final login request 2012-04-02 09:27:10 -07:00
input Input: ALPS - fix touchpad detection when buttons are pressed 2012-03-12 10:33:00 -07:00
isdn net: Audit drivers to identify those needing IFF_TX_SKB_SHARING cleared 2011-08-15 18:31:38 -07:00
leds Revert "leds: save the delay values after a successful call to blink_set()" 2011-11-21 14:31:19 -08:00
lguest
macintosh
mca
md md/bitmap: prevent bitmap_daemon_work running while initialising bitmap 2012-04-22 16:21:44 -07:00
media media: rc-core: set mode for winbond-cir 2012-04-27 09:51:06 -07:00
memstick
message
mfd mfd: Clear twl6030 IRQ status register only once 2012-04-13 08:14:08 -07:00
misc pch_phub: Improve ADE(Address Decode Enable) control 2012-04-22 16:21:42 -07:00
mmc mmc: atmel-mci: correct data timeout computation 2012-04-13 08:14:07 -07:00
mtd mtd: m25p80: set writebufsize 2012-04-13 08:14:05 -07:00
net ksz884x: don't copy too much in netdev_set_mac_address() 2012-04-27 09:51:21 -07:00
nfc
nubus
of
oprofile oprofile: Fix uninitialized memory access when writing to writing to oprofilefs 2012-01-06 14:13:51 -08:00
parisc
parport
pci PCI: Add quirk for still enabled interrupts on Intel Sandy Bridge GPUs 2012-04-27 09:51:08 -07:00
pcmcia pcmcia: fix socket refcount decrementing on each resume 2012-02-13 11:06:10 -08:00
platform acer-wmi: No wifi rfkill on Sony machines 2012-04-13 08:14:08 -07:00
pnp PNPACPI: Fix device ref leaking in acpi_pnp_match 2012-04-13 08:14:05 -07:00
power drivers/power/ds2780_battery.c: fix deadlock upon insertion and removal 2011-11-11 09:36:32 -08:00
pps
ps3
ptp ptp: Fix clock_getres() implementation 2011-12-21 12:57:36 -08:00
rapidio rapidio: fix use of non-compatible registers 2011-10-03 11:39:46 -07:00
regulator regulator: Fix setting selector in tps6524x set_voltage function 2012-03-19 08:57:58 -07:00
rtc drivers/rtc/rtc-pl031.c: enable clock on all ST variants 2012-04-22 16:21:23 -07:00
s390 compat: Re-add missing asm/compat.h include to fix compile breakage on s390 2012-03-19 08:57:59 -07:00
sbus
scsi osd_uld: Bump MAX_OSD_DEVICES from 64 to 1,048,576 2012-03-12 10:32:57 -07:00
sfi
sh
sn
spi spi: Fix device unregistration when unregistering the bus master 2012-04-27 09:51:09 -07:00
ssb ssb: fix init regression with SoCs 2012-01-06 14:13:48 -08:00
staging staging: iio: hmc5843: Fix crash in probe function. 2012-04-22 16:21:23 -07:00
target target: Fix 16-bit target ports for SET TARGET PORT GROUPS emulation 2012-04-02 09:27:12 -07:00
tc
telephony
thermal
tty drivers/tty/amiserial.c: add missing tty_unlock 2012-04-27 09:51:07 -07:00
uio
usb usb: musb: omap: fix the error check for pm_runtime_get_sync 2012-04-27 09:51:08 -07:00
uwb uwb: fix error handling 2012-04-27 09:51:06 -07:00
vhost
video video:uvesafb: Fix oops that uvesafb try to execute NX-protected page 2012-04-22 16:21:24 -07:00
virtio virtio-pci: fix use after free 2011-11-21 14:31:14 -08:00
vlynq
w1 drivers/power/ds2780_battery.c: add a nolock function to w1 interface 2011-11-11 09:36:32 -08:00
watchdog watchdog: hpwdt: clean up set_memory_x call for 32 bit 2012-03-12 10:32:40 -07:00
xen xen/xenbus: Add quirk to deal with misconfigured backends. 2012-04-27 09:51:05 -07:00
zorro zorro: Defer device_register() until all devices have been identified 2011-10-03 11:40:57 -07:00
Kconfig
Makefile