summaryrefslogtreecommitdiff
path: root/shared-core
diff options
context:
space:
mode:
authorThomas Hellstrom <unichrome@shipmail.org>2005-08-10 19:46:46 +0000
committerThomas Hellstrom <unichrome@shipmail.org>2005-08-10 19:46:46 +0000
commitd5e8ab13ff5399531eb1927dcd4535aeeed18c94 (patch)
treea6e2aacb12fbaec99c841b84dfdfc67293ed8243 /shared-core
parent0d81954b0e4430428eddc00c6097e614e51ba0b1 (diff)
Security fix on via: Checking that the specified context belongs to the
caller on fb / agp memory alloc and free. Otherwise malicious clients can register allocations on other clients or free memory used by other clients which will lead to severe memory manager inconsistensies.
Diffstat (limited to 'shared-core')
-rw-r--r--shared-core/via_drv.h4
-rw-r--r--shared-core/via_mm.c10
2 files changed, 12 insertions, 2 deletions
diff --git a/shared-core/via_drv.h b/shared-core/via_drv.h
index c76674ee..95af8b9c 100644
--- a/shared-core/via_drv.h
+++ b/shared-core/via_drv.h
@@ -28,11 +28,11 @@
#define DRIVER_NAME "via"
#define DRIVER_DESC "VIA Unichrome / Pro"
-#define DRIVER_DATE "20050715"
+#define DRIVER_DATE "20050810"
#define DRIVER_MAJOR 2
#define DRIVER_MINOR 6
-#define DRIVER_PATCHLEVEL 4
+#define DRIVER_PATCHLEVEL 5
#include "via_verifier.h"
diff --git a/shared-core/via_mm.c b/shared-core/via_mm.c
index 13921f3c..89d762f1 100644
--- a/shared-core/via_mm.c
+++ b/shared-core/via_mm.c
@@ -192,11 +192,16 @@ int via_final_context(struct drm_device *dev, int context)
int via_mem_alloc(DRM_IOCTL_ARGS)
{
+ drm_file_t *priv = filp->private_data;
drm_via_mem_t mem;
DRM_COPY_FROM_USER_IOCTL(mem, (drm_via_mem_t __user *) data,
sizeof(mem));
+ if (!drm_check_context(priv, mem.context)) {
+ return DRM_ERR(EINVAL);
+ }
+
switch (mem.type) {
case VIDEO:
if (via_fb_alloc(&mem) < 0)
@@ -289,11 +294,16 @@ static int via_agp_alloc(drm_via_mem_t * mem)
int via_mem_free(DRM_IOCTL_ARGS)
{
+ drm_file_t *priv = filp->private_data;
drm_via_mem_t mem;
DRM_COPY_FROM_USER_IOCTL(mem, (drm_via_mem_t __user *) data,
sizeof(mem));
+ if (!drm_check_context(priv, mem.context)) {
+ return DRM_ERR(EINVAL);
+ }
+
switch (mem.type) {
case VIDEO: