Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/video/fbdev
History
Peter Malone 250c6c49e3 fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 
Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
sbusfb_ioctl_helper().

'index' is defined as an int in sbusfb_ioctl_helper().
We retrieve this from the user:
if (get_user(index, &c->index) ||
    __get_user(count, &c->count) ||
    __get_user(ured, &c->red) ||
    __get_user(ugreen, &c->green) ||
    __get_user(ublue, &c->blue))
       return -EFAULT;

and then we use 'index' in the following way:
red = cmap->red[index + i] >> 8;
green = cmap->green[index + i] >> 8;
blue = cmap->blue[index + i] >> 8;

This is a classic information leak vulnerability. 'index' should be
an unsigned int, given its usage above.

This patch is straight-forward; it changes 'index' to unsigned int
in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.

This patch fixes CVE-2018-6412.

Signed-off-by: Peter Malone <peter.malone@gmail.com>
Acked-by: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
 		2018-03-07 14:00:34 +01:00
..
aty fbdev: radeon: use ktime_get() for HZ calibration 2018-01-04 16:53:49 +01:00
core fbcon: Remove dmi quirk table 2017-12-04 23:03:22 +01:00
geode x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping 2018-02-15 01:15:52 +01:00
i810 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
intelfb video: fbdev: intelfb: deprecate pci_get_bus_and_slot() 2018-01-17 08:16:46 -06:00
kyro
matrox fbdev changes for v4.15: 2017-11-20 21:50:24 -10:00
mb862xx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mbx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mmp video: fbdev/mmp: add MODULE_LICENSE 2018-01-15 17:04:22 +01:00
nvidia video: fbdev: nvidia: deprecate pci_get_bus_and_slot() 2018-01-17 08:16:46 -06:00
omap fbdev changes for v4.15: 2017-11-20 21:50:24 -10:00
omap2 video: omapfb: fix missing #includes 2018-02-09 14:43:49 +01:00
riva video: fbdev: riva: deprecate pci_get_bus_and_slot() 2018-01-17 08:16:46 -06:00
savage
sis video: fbdev: sis_main: mark expected switch fall-throughs 2017-11-09 18:09:33 +01:00
vermilion
via License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
68328fb.c
Kconfig Kbuild updates for v4.16 (2nd) 2018-02-09 19:32:41 -08:00
Makefile fbdev changes for v4.15: 2017-11-20 21:50:24 -10:00
acornfb.c
acornfb.h
amba-clcd-nomadik.c
amba-clcd-nomadik.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd-versatile.c
amba-clcd-versatile.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd.c
amifb.c
arcfb.c
arkfb.c
asiliantfb.c
atafb.c
atafb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel_lcdfb.c video: fbdev: atmel_lcdfb: fix display-timings lookup 2017-12-29 19:48:43 +01:00
au1100fb.c
au1100fb.h
au1200fb.c video: fbdev: au1200fb: Style clean up 2017-11-09 18:09:30 +01:00
au1200fb.h fbdev: au1200fb: delete duplicate header contents 2018-01-04 16:53:49 +01:00
auo_k190x.c fbdev changes for v4.16: 2018-02-07 13:10:43 -08:00
auo_k190x.h
auo_k1900fb.c
auo_k1901fb.c
bf54x-lq043fb.c
bf537-lq035.c
bfin-lq035q1-fb.c
bfin-t350mcqb-fb.c
bfin_adv7393fb.c
bfin_adv7393fb.h
broadsheetfb.c
bt431.h
bt455.h
bw2.c
c2p.h
c2p_core.h
c2p_iplan2.c
c2p_planar.c
carminefb.c
carminefb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
carminefb_regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cg3.c
cg6.c
cg14.c
chipsfb.c
cirrusfb.c video: fbdev: cirrusfb: mark expected switch fall-throughs 2017-11-09 18:09:32 +01:00
clps711x-fb.c
clps711xfb.c
cobalt_lcdfb.c
controlfb.c
controlfb.h fbdev: controlfb: Add missing modes to fix out of bounds access 2017-11-09 18:09:33 +01:00
cyber2000fb.c
cyber2000fb.h
da8xx-fb.c
dnfb.c video/fbdev/dnfb: Use common error handling code in dnfb_probe() 2017-11-09 18:09:31 +01:00
edid.h
efifb.c efifb: Set info->fbcon_rotate_hint based on drm_get_panel_orientation_quirk 2017-12-04 23:03:21 +01:00
ep93xx-fb.c
fb-puv3.c
ffb.c
fm2fb.c
fsl-diu-fb.c
g364fb.c
gbefb.c
goldfishfb.c video: goldfishfb: Add support for device tree bindings 2017-11-09 18:09:31 +01:00
grvga.c
gxt4500.c
hecubafb.c
hgafb.c
hitfb.c
hpfb.c
hyperv_fb.c
i740_reg.h
i740fb.c
imsttfb.c
imxfb.c
jz4740_fb.c
leo.c
macfb.c nubus: Adopt standard linked list implementation 2018-01-16 16:47:29 +01:00
macmodes.c
macmodes.h
maxinefb.c
metronomefb.c
mx3fb.c
mxsfb.c fbdev: mxsfb: use framebuffer_alloc in the correct way 2018-01-15 17:04:22 +01:00
n411.c
neofb.c
nuc900fb.c
nuc900fb.h
ocfb.c
offb.c
p9100.c
platinumfb.c
platinumfb.h
pm2fb.c
pm3fb.c
pmag-aa-fb.c
pmag-ba-fb.c
pmagb-b-fb.c
ps3fb.c
pvr2fb.c pvr2fs: use get_user_pages_fast() 2017-09-22 23:14:36 -04:00
pxa3xx-gcu.c fbdev: pxa3xx: use ktime_get_ts64 for time stamps 2018-01-04 16:53:49 +01:00
pxa3xx-gcu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxa168fb.c
pxa168fb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxafb.c
pxafb.h
q40fb.c
s1d13xxxfb.c
s3c-fb.c
s3c2410fb.c
s3c2410fb.h
s3fb.c
sa1100fb.c video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sa1100fb.h video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sbuslib.c fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 2018-03-07 14:00:34 +01:00
sbuslib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sh7760fb.c
sh_mobile_lcdcfb.c
sh_mobile_lcdcfb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sh_mobile_meram.c
simplefb.c
skeletonfb.c
sm501fb.c video: fbdev: sm501fb: fix potential null pointer dereference on fbi 2017-11-17 17:21:48 +01:00
sm712.h
sm712fb.c
smscufx.c video: smscufx: Improve a size determination in two functions 2017-12-29 19:48:44 +01:00
ssd1307fb.c
sstfb.c
sticore.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stifb.c
sunxvr500.c
sunxvr1000.c
sunxvr2500.c
tcx.c
tdfxfb.c
tgafb.c
tmiofb.c
tridentfb.c
udlfb.c video: udlfb: Switch from the pr_*() to the dev_*() logging functions 2018-01-16 16:35:20 +01:00
uvesafb.c fbdev changes for v4.14: 2017-09-14 13:33:33 -07:00
valkyriefb.c
valkyriefb.h
vesafb.c
vfb.c vfb: fix video mode and line_length being set when loaded 2018-01-04 16:53:50 +01:00
vga16fb.c video: fbdev: remove redundant self assignment of 'height' 2017-12-29 19:48:43 +01:00
vt8500lcdfb.c video/fbdev/vt8500lcdfb: Delete an error message for a failed memory allocation in vt8500lcd_probe() 2017-12-29 19:48:44 +01:00
vt8500lcdfb.h
vt8623fb.c
w100fb.c treewide: Use DEVICE_ATTR_RW 2018-01-09 16:33:31 +01:00
w100fb.h
wm8505fb.c video/fbdev/wm8505fb: Delete an error message for a failed memory allocation in wm8505fb_probe() 2017-12-29 19:48:43 +01:00
wm8505fb_regs.h
wmt_ge_rops.c
wmt_ge_rops.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xen-fbfront.c
xilinxfb.c