add agp OOM fix; b522f02184b41 upstream

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

2 files changed, 59 insertions, 0 deletions

diff --git a/queue/agp-fix-OOM-and-buffer-overflow.patch b/queue/agp-fix-OOM-and-buffer-overflow.patch
new file mode 100644
index 0000000..b8b3e5f
--- /dev/null
+++ b/queue/agp-fix-OOM-and-buffer-overflow.patch
@@ -0,0 +1,58 @@
+From 5b795bab08f44560fe07a72d97eee28f08672f39 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Thu, 14 Apr 2011 20:55:19 +0400
+Subject: [PATCH] agp: fix OOM and buffer overflow
+
+commit b522f02184b413955f3bc952e3776ce41edc6355 upstream.
+
+page_count is copied from userspace.  agp_allocate_memory() tries to
+check whether this number is too big, but doesn't take into account the
+wrap case.  Also agp_create_user_memory() doesn't check whether
+alloc_size is calculated from num_agp_pages variable without overflow.
+This may lead to allocation of too small buffer with following buffer
+overflow.
+
+Another problem in agp code is not addressed in the patch - kernel memory
+exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
+whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
+Each allocation is limited to 16KB, though, there is no per-process limit.
+This might lead to OOM situation, which is not even solved in case of the
+caller death by OOM killer - the memory is allocated for another (faked) process.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
+index 94c0321..ab17f98 100644
+--- a/drivers/char/agp/generic.c
++++ b/drivers/char/agp/generic.c
+@@ -124,6 +124,9 @@ static struct agp_memory *agp_create_user_memory(unsigned long num_agp_pages)
+ 	struct agp_memory *new;
+ 	unsigned long alloc_size = num_agp_pages*sizeof(struct page *);
+ 
++	if (INT_MAX/sizeof(struct page *) < num_agp_pages)
++		return NULL;
++
+ 	new = kzalloc(sizeof(struct agp_memory), GFP_KERNEL);
+ 	if (new == NULL)
+ 		return NULL;
+@@ -243,11 +246,14 @@ struct agp_memory *agp_allocate_memory(struct agp_bridge_data *bridge,
+ 	int scratch_pages;
+ 	struct agp_memory *new;
+ 	size_t i;
++	int cur_memory;
+ 
+ 	if (!bridge)
+ 		return NULL;
+ 
+-	if ((atomic_read(&bridge->current_memory_agp) + page_count) > bridge->max_memory_agp)
++	cur_memory = atomic_read(&bridge->current_memory_agp);
++	if ((cur_memory + page_count > bridge->max_memory_agp) ||
++	    (cur_memory + page_count < page_count))
+ 		return NULL;
+ 
+ 	if (type >= AGP_USER_TYPES) {
+-- 
+1.7.4.4
+
diff --git a/queue/series b/queue/series
index 57af984..32d7f12 100644
--- a/queue/series
+++ b/queue/series
@@ -237,6 +237,7 @@ PCI-return-correct-value-when-writing-to-the-reset-a.patch
 mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
 fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch
 agp-fix-arbitrary-kernel-memory-writes.patch
+agp-fix-OOM-and-buffer-overflow.patch
 udp-Fix-bogus-UFO-packet-generation.patch
 
 # Content taken from v2.6.35.11