linux/drivers/char/agp
Vasiliy Kulikov 194b3da873 agp: fix arbitrary kernel memory writes
pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-04-21 12:16:55 +10:00
..
agp.h Fix common misspellings 2011-03-31 11:26:23 -03:00
ali-agp.c
alpha-agp.c
amd64-agp.c amd64-agp: fix crash at second module load 2011-02-23 18:29:17 +10:00
amd-k7-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00
ati-agp.c
backend.c
compat_ioctl.c
compat_ioctl.h
efficeon-agp.c
frontend.c
generic.c agp: fix arbitrary kernel memory writes 2011-04-21 12:16:55 +10:00
hp-agp.c
i460-agp.c
intel-agp.c agp: ensure GART has an address before enabling it 2011-02-04 09:43:57 +10:00
intel-agp.h agp/intel: Experiment with a 855GM GWB bit 2011-02-22 15:52:41 +00:00
intel-gtt.c agp/intel: Experiment with a 855GM GWB bit 2011-02-22 15:52:41 +00:00
isoch.c
Kconfig Revert "agp: AMD AGP is used on UP1100 & UP1500 alpha boxen" 2011-02-04 09:42:25 +10:00
Makefile
nvidia-agp.c
parisc-agp.c
sgi-agp.c
sis-agp.c
sworks-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00
uninorth-agp.c
via-agp.c Fix common misspellings 2011-03-31 11:26:23 -03:00