From 5e8ba79eb6aabd85f52de43fcf30722268857f60 Mon Sep 17 00:00:00 2001 From: Jeff Hartmann Date: Fri, 20 Jul 2001 22:16:04 +0000 Subject: [PATCH] Merge checker fixes from Alan Cox made to the drm in the ac kernel tree. These aren't really security problems, but Alan has made some arguments that have convinced me that the code should be fixed anyway. --- linux-core/drm_bufs.c | 19 +++++++++++++++++++ linux-core/drm_ioctl.c | 2 +- linux/drm_bufs.h | 19 +++++++++++++++++++ linux/drm_ioctl.h | 2 +- 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/linux-core/drm_bufs.c b/linux-core/drm_bufs.c index 16af7bd5..02502321 100644 --- a/linux-core/drm_bufs.c +++ b/linux-core/drm_bufs.c @@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, atomic_dec( &dev->buf_alloc ); return 0; + } #endif /* __HAVE_PCI_DMA */ @@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { diff --git a/linux-core/drm_ioctl.c b/linux-core/drm_ioctl.c index 1cc8f31f..c2761808 100644 --- a/linux-core/drm_ioctl.c +++ b/linux-core/drm_ioctl.c @@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp, if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u))) return -EFAULT; - if (!u.unique_len) + if (!u.unique_len || u.unique_len > 1024) return -EINVAL; dev->unique_len = u.unique_len; diff --git a/linux/drm_bufs.h b/linux/drm_bufs.h index 16af7bd5..02502321 100644 --- a/linux/drm_bufs.h +++ b/linux/drm_bufs.h @@ -332,6 +332,12 @@ int DRM(addbufs_agp)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -479,6 +485,12 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { @@ -581,6 +593,7 @@ int DRM(addbufs_pci)( struct inode *inode, struct file *filp, atomic_dec( &dev->buf_alloc ); return 0; + } #endif /* __HAVE_PCI_DMA */ @@ -650,6 +663,12 @@ int DRM(addbufs_sg)( struct inode *inode, struct file *filp, return -ENOMEM; /* May only call once for each order */ } + if (count < 0 || count > 4096) { + up( &dev->struct_sem ); + atomic_dec( &dev->buf_alloc ); + return -EINVAL; + } + entry->buflist = DRM(alloc)( count * sizeof(*entry->buflist), DRM_MEM_BUFS ); if ( !entry->buflist ) { diff --git a/linux/drm_ioctl.h b/linux/drm_ioctl.h index 1cc8f31f..c2761808 100644 --- a/linux/drm_ioctl.h +++ b/linux/drm_ioctl.h @@ -82,7 +82,7 @@ int DRM(setunique)(struct inode *inode, struct file *filp, if (copy_from_user(&u, (drm_unique_t *)arg, sizeof(u))) return -EFAULT; - if (!u.unique_len) + if (!u.unique_len || u.unique_len > 1024) return -EINVAL; dev->unique_len = u.unique_len;