Security fix on via: Checking that the specified context belongs to the

caller on fb / agp memory alloc and free. Otherwise malicious clients can register allocations on other clients or free memory used by other clients which will lead to severe memory manager inconsistensies.
author: Thomas Hellstrom <unichrome@shipmail.org> 2005-08-10 19:46:46 +0000
committer: Thomas Hellstrom <unichrome@shipmail.org> 2005-08-10 19:46:46 +0000
commit: d5e8ab13ff5399531eb1927dcd4535aeeed18c94 (patch)
tree: a6e2aacb12fbaec99c841b84dfdfc67293ed8243 /shared-core/via_mm.c
parent: 0d81954b0e4430428eddc00c6097e614e51ba0b1 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/shared-core/via_mm.c b/shared-core/via_mm.c
index 13921f3c..89d762f1 100644
--- a/shared-core/via_mm.c
+++ b/shared-core/via_mm.c
@@ -192,11 +192,16 @@ int via_final_context(struct drm_device *dev, int context)
 
 int via_mem_alloc(DRM_IOCTL_ARGS)
 {
+	drm_file_t *priv = filp->private_data;
 	drm_via_mem_t mem;
 
 	DRM_COPY_FROM_USER_IOCTL(mem, (drm_via_mem_t __user *) data,
 				 sizeof(mem));
 
+	if (!drm_check_context(priv, mem.context)) {
+		return DRM_ERR(EINVAL);
+	}
+
 	switch (mem.type) {
 	case VIDEO:
 		if (via_fb_alloc(&mem) < 0)
@@ -289,11 +294,16 @@ static int via_agp_alloc(drm_via_mem_t * mem)
 
 int via_mem_free(DRM_IOCTL_ARGS)
 {
+	drm_file_t *priv = filp->private_data;
 	drm_via_mem_t mem;
 
 	DRM_COPY_FROM_USER_IOCTL(mem, (drm_via_mem_t __user *) data,
 				 sizeof(mem));
 
+	if (!drm_check_context(priv, mem.context)) {
+		return DRM_ERR(EINVAL);
+	}
+
 	switch (mem.type) {
 
 	case VIDEO:
author	Thomas Hellstrom <unichrome@shipmail.org>	2005-08-10 19:46:46 +0000
committer	Thomas Hellstrom <unichrome@shipmail.org>	2005-08-10 19:46:46 +0000
commit	d5e8ab13ff5399531eb1927dcd4535aeeed18c94 (patch)
tree	a6e2aacb12fbaec99c841b84dfdfc67293ed8243 /shared-core/via_mm.c
parent	0d81954b0e4430428eddc00c6097e614e51ba0b1 (diff)