194b3da873
pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| agp.h | ||
| ali-agp.c | ||
| alpha-agp.c | ||
| amd-k7-agp.c | ||
| amd64-agp.c | ||
| ati-agp.c | ||
| backend.c | ||
| compat_ioctl.c | ||
| compat_ioctl.h | ||
| efficeon-agp.c | ||
| frontend.c | ||
| generic.c | ||
| hp-agp.c | ||
| i460-agp.c | ||
| intel-agp.c | ||
| intel-agp.h | ||
| intel-gtt.c | ||
| isoch.c | ||
| nvidia-agp.c | ||
| parisc-agp.c | ||
| sgi-agp.c | ||
| sis-agp.c | ||
| sworks-agp.c | ||
| uninorth-agp.c | ||
| via-agp.c | ||