From 5e8ba79eb6aabd85f52de43fcf30722268857f60 Mon Sep 17 00:00:00 2001
From: Jeff Hartmann <jhartmann@valinux.com>
Date: Fri, 20 Jul 2001 22:16:04 +0000
Subject: Merge checker fixes from Alan Cox made to the drm in the ac kernel
tree. These aren't really security problems, but Alan has made some
arguments that have convinced me that the code should be fixed anyway.
---
linux-core/drm_bufs.c | 19 +++++++++++++++++++
linux-core/drm_ioctl.c | 2 +-
linux/drm_bufs.h | 19 +++++++++++++++++++
linux/drm_ioctl.h | 2 +-
4 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c
index 16af7bd5..02502321 100644
--- a/linux-core/drm_bufs.c
+++ b/linux-core/drm_bufs.c
@@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp,
return -ENOMEM; /* May only call once for each order */
}
+ if (count < 0 || count > 4096) {
+ up( &dev->struct_sem );
+ atomic_dec( &dev->buf_alloc );
+ return -EINVAL;
+ }
+
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
DRM_MEM_BUFS );
if ( !entry->buflist ) {
@@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
return -ENOMEM; /* May only call once for each order */
}
+ if (count < 0 || count > 4096) {
+ up( &dev->struct_sem );
+ atomic_dec( &dev->buf_alloc );
+ return -EINVAL;
+ }
+
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
DRM_MEM_BUFS );
if ( !entry->buflist ) {
@@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
atomic_dec( &dev->buf_alloc );
return 0;
+
}
#endif /* __HAVE_PCI_DMA */
@@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp,
return -ENOMEM; /* May only call once for each order */
}
+ if (count < 0 || count > 4096) {
+ up( &dev->struct_sem );
+ atomic_dec( &dev->buf_alloc );
+ return -EINVAL;
+ }
+
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
DRM_MEM_BUFS );
if ( !entry->buflist ) {
diff --git a/linux-core/drm_ioctl.c b/linux-core/drm_ioctl.c
index 1cc8f31f..c2761808 100644
--- a/linux-core/drm_ioctl.c
+++ b/linux-core/drm_ioctl.c
@@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp,
if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
return -EFAULT;
- if (!u.unique_len)
+ if (!u.unique_len || u.unique_len > 1024)
return -EINVAL;
dev->unique_len = u.unique_len;
diff --git a/linux/drm_bufs.h b/linux/drm_bufs.h
index 16af7bd5..02502321 100644
--- a/linux/drm_bufs.h
+++ b/linux/drm_bufs.h
@@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp,
return -ENOMEM; /* May only call once for each order */
}
+ if (count < 0 || count > 4096) {
+ up( &dev->struct_sem );
+ atomic_dec( &dev->buf_alloc );
+ return -EINVAL;
+ }
+
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
DRM_MEM_BUFS );
if ( !entry->buflist ) {
@@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
return -ENOMEM; /* May only call once for each order */
}
+ if (count < 0 || count > 4096) {
+ up( &dev->struct_sem );
+ atomic_dec( &dev->buf_alloc );
+ return -EINVAL;
+ }
+
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
DRM_MEM_BUFS );
if ( !entry->buflist ) {
@@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp,
atomic_dec( &dev->buf_alloc );
return 0;
+
}
#endif /* __HAVE_PCI_DMA */
@@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp,
return -ENOMEM; /* May only call once for each order */
}
+ if (count < 0 || count > 4096) {
+ up( &dev->struct_sem );
+ atomic_dec( &dev->buf_alloc );
+ return -EINVAL;
+ }
+
entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist),
DRM_MEM_BUFS );
if ( !entry->buflist ) {
diff --git a/linux/drm_ioctl.h b/linux/drm_ioctl.h
index 1cc8f31f..c2761808 100644
--- a/linux/drm_ioctl.h
+++ b/linux/drm_ioctl.h
@@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp,
if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u)))
return -EFAULT;
- if (!u.unique_len)
+ if (!u.unique_len || u.unique_len > 1024)
return -EINVAL;
dev->unique_len = u.unique_len;
--
cgit v1.2.3