Peter Malone bfffc2c3f5 fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). ... [ Upstream commit 250c6c49e3 ] Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 'index' is defined as an int in sbusfb_ioctl_helper(). We retrieve this from the user: if (get_user(index, &c->index) || __get_user(count, &c->count) || __get_user(ured, &c->red) || __get_user(ugreen, &c->green) || __get_user(ublue, &c->blue)) return -EFAULT; and then we use 'index' in the following way: red = cmap->red[index + i] >> 8; green = cmap->green[index + i] >> 8; blue = cmap->blue[index + i] >> 8; This is a classic information leak vulnerability. 'index' should be an unsigned int, given its usage above. This patch is straight-forward; it changes 'index' to unsigned int in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. This patch fixes CVE-2018-6412. Signed-off-by: Peter Malone <peter.malone@gmail.com> Acked-by: Mathieu Malaterre <malat@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2018-05-30 07:49:04 +02:00
..
backlight	backlight: pwm_bl: Fix overflow condition	2017-12-25 14:22:13 +01:00
console	vgacon: Set VGA struct resource types	2018-03-24 10:58:48 +01:00
fbdev	fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().	2018-05-30 07:49:04 +02:00
logo	video/logo: prevent use of logos after they have been freed	2014-12-29 10:06:55 +02:00
display_timing.c
hdmi.c	video/hdmi: Allow "empty" HDMI infoframes	2018-03-22 09:23:27 +01:00
Kconfig	drm: Remove two-level menu in Kconfig	2015-08-07 19:06:37 +02:00
Makefile
of_display_timing.c	video: of: fix memory leak	2015-10-07 14:13:59 +03:00
of_videomode.c	video: Fix possible leak in of_get_videomode()	2015-08-10 15:11:12 +03:00
vgastate.c	fbdev: vgastate: remove trailing whitespaces	2015-01-13 12:53:25 +02:00
videomode.c