From d5e8ab13ff5399531eb1927dcd4535aeeed18c94 Mon Sep 17 00:00:00 2001 From: Thomas Hellstrom Date: Wed, 10 Aug 2005 19:46:46 +0000 Subject: Security fix on via: Checking that the specified context belongs to the caller on fb / agp memory alloc and free. Otherwise malicious clients can register allocations on other clients or free memory used by other clients which will lead to severe memory manager inconsistensies. --- shared-core/via_drv.h | 4 ++-- shared-core/via_mm.c | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'shared-core') diff --git a/shared-core/via_drv.h b/shared-core/via_drv.h index c76674ee..95af8b9c 100644 --- a/shared-core/via_drv.h +++ b/shared-core/via_drv.h @@ -28,11 +28,11 @@ #define DRIVER_NAME "via" #define DRIVER_DESC "VIA Unichrome / Pro" -#define DRIVER_DATE "20050715" +#define DRIVER_DATE "20050810" #define DRIVER_MAJOR 2 #define DRIVER_MINOR 6 -#define DRIVER_PATCHLEVEL 4 +#define DRIVER_PATCHLEVEL 5 #include "via_verifier.h" diff --git a/shared-core/via_mm.c b/shared-core/via_mm.c index 13921f3c..89d762f1 100644 --- a/shared-core/via_mm.c +++ b/shared-core/via_mm.c @@ -192,11 +192,16 @@ int via_final_context(struct drm_device *dev, int context) int via_mem_alloc(DRM_IOCTL_ARGS) { + drm_file_t *priv = filp->private_data; drm_via_mem_t mem; DRM_COPY_FROM_USER_IOCTL(mem, (drm_via_mem_t __user *) data, sizeof(mem)); + if (!drm_check_context(priv, mem.context)) { + return DRM_ERR(EINVAL); + } + switch (mem.type) { case VIDEO: if (via_fb_alloc(&mem) < 0) @@ -289,11 +294,16 @@ static int via_agp_alloc(drm_via_mem_t * mem) int via_mem_free(DRM_IOCTL_ARGS) { + drm_file_t *priv = filp->private_data; drm_via_mem_t mem; DRM_COPY_FROM_USER_IOCTL(mem, (drm_via_mem_t __user *) data, sizeof(mem)); + if (!drm_check_context(priv, mem.context)) { + return DRM_ERR(EINVAL); + } + switch (mem.type) { case VIDEO: -- cgit v1.2.3