| Message ID | 20130513050051.GA32019@www.outflux.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, May 13, 2013 at 1:00 AM, Kees Cook <keescook@chromium.org> wrote: > The "boxes" parameter points into userspace memory. It should be verified > like any other operation against user memory. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: stable@vger.kernel.org Thanks. Applied. Alex > --- > drivers/gpu/drm/radeon/r300_cmdbuf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/radeon/r300_cmdbuf.c b/drivers/gpu/drm/radeon/r300_cmdbuf.c > index 865e2c9..60170ea 100644 > --- a/drivers/gpu/drm/radeon/r300_cmdbuf.c > +++ b/drivers/gpu/drm/radeon/r300_cmdbuf.c > @@ -75,7 +75,7 @@ static int r300_emit_cliprects(drm_radeon_private_t *dev_priv, > OUT_RING(CP_PACKET0(R300_RE_CLIPRECT_TL_0, nr * 2 - 1)); > > for (i = 0; i < nr; ++i) { > - if (DRM_COPY_FROM_USER_UNCHECKED > + if (DRM_COPY_FROM_USER > (&box, &cmdbuf->boxes[n + i], sizeof(box))) { > DRM_ERROR("copy cliprect faulted\n"); > return -EFAULT; > -- > 1.7.9.5 > > > -- > Kees Cook > Chrome OS Security > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/dri-devel
diff --git a/drivers/gpu/drm/radeon/r300_cmdbuf.c b/drivers/gpu/drm/radeon/r300_cmdbuf.c index 865e2c9..60170ea 100644 --- a/drivers/gpu/drm/radeon/r300_cmdbuf.c +++ b/drivers/gpu/drm/radeon/r300_cmdbuf.c @@ -75,7 +75,7 @@ static int r300_emit_cliprects(drm_radeon_private_t *dev_priv, OUT_RING(CP_PACKET0(R300_RE_CLIPRECT_TL_0, nr * 2 - 1)); for (i = 0; i < nr; ++i) { - if (DRM_COPY_FROM_USER_UNCHECKED + if (DRM_COPY_FROM_USER (&box, &cmdbuf->boxes[n + i], sizeof(box))) { DRM_ERROR("copy cliprect faulted\n"); return -EFAULT;
The "boxes" parameter points into userspace memory. It should be verified like any other operation against user memory. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org --- drivers/gpu/drm/radeon/r300_cmdbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)