diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-21 17:40:25 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-21 17:40:25 -0400 |
commit | 98c0a573c41e2e7b6cd68819607cc8d97cd3c82b (patch) | |
tree | 6a555ff10695004233a19b628ac94c9e2df2297b | |
parent | 844b50d299ec101c6789600c85c15b96859eacef (diff) | |
download | longterm-queue-2.6.34-98c0a573c41e2e7b6cd68819607cc8d97cd3c82b.tar.gz |
add agp OOM fix; b522f02184b41 upstream
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/agp-fix-OOM-and-buffer-overflow.patch | 58 | ||||
-rw-r--r-- | queue/series | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/queue/agp-fix-OOM-and-buffer-overflow.patch b/queue/agp-fix-OOM-and-buffer-overflow.patch new file mode 100644 index 0000000..b8b3e5f --- /dev/null +++ b/queue/agp-fix-OOM-and-buffer-overflow.patch @@ -0,0 +1,58 @@ +From 5b795bab08f44560fe07a72d97eee28f08672f39 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Thu, 14 Apr 2011 20:55:19 +0400 +Subject: [PATCH] agp: fix OOM and buffer overflow + +commit b522f02184b413955f3bc952e3776ce41edc6355 upstream. + +page_count is copied from userspace. agp_allocate_memory() tries to +check whether this number is too big, but doesn't take into account the +wrap case. Also agp_create_user_memory() doesn't check whether +alloc_size is calculated from num_agp_pages variable without overflow. +This may lead to allocation of too small buffer with following buffer +overflow. + +Another problem in agp code is not addressed in the patch - kernel memory +exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked +whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). +Each allocation is limited to 16KB, though, there is no per-process limit. +This might lead to OOM situation, which is not even solved in case of the +caller death by OOM killer - the memory is allocated for another (faked) process. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c +index 94c0321..ab17f98 100644 +--- a/drivers/char/agp/generic.c ++++ b/drivers/char/agp/generic.c +@@ -124,6 +124,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages) + struct agp_memory *new; + unsigned long alloc_size = num_agp_pages*sizeof(struct page *); + ++ if (INT_MAX/sizeof(struct page *) < num_agp_pages) ++ return NULL; ++ + new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL); + if (new == NULL) + return NULL; +@@ -243,11 +246,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge, + int scratch_pages; + struct agp_memory *new; + size_t i; ++ int cur_memory; + + if (!bridge) + return NULL; + +- if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp) ++ cur_memory = atomic_read(&bridge->current_memory_agp); ++ if ((cur_memory + page_count > bridge->max_memory_agp) || ++ (cur_memory + page_count < page_count)) + return NULL; + + if (type >= AGP_USER_TYPES) { +-- +1.7.4.4 + diff --git a/queue/series b/queue/series index 57af984..32d7f12 100644 --- a/queue/series +++ b/queue/series @@ -237,6 +237,7 @@ PCI-return-correct-value-when-writing-to-the-reset-a.patch mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch agp-fix-arbitrary-kernel-memory-writes.patch +agp-fix-OOM-and-buffer-overflow.patch udp-Fix-bogus-UFO-packet-generation.patch # Content taken from v2.6.35.11 |