shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-07 13:43:09 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
ffe4bf3eb3cfa10f9ef295c08c21f4fe3bb07e21
linux/drivers/video/fbdev
History
Peter Malone bfffc2c3f5 fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 
[ Upstream commit 250c6c49e3 ]

Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
sbusfb_ioctl_helper().

'index' is defined as an int in sbusfb_ioctl_helper().
We retrieve this from the user:
if (get_user(index, &c->index) ||
    __get_user(count, &c->count) ||
    __get_user(ured, &c->red) ||
    __get_user(ugreen, &c->green) ||
    __get_user(ublue, &c->blue))
       return -EFAULT;

and then we use 'index' in the following way:
red = cmap->red[index + i] >> 8;
green = cmap->green[index + i] >> 8;
blue = cmap->blue[index + i] >> 8;

This is a classic information leak vulnerability. 'index' should be
an unsigned int, given its usage above.

This patch is straight-forward; it changes 'index' to unsigned int
in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.

This patch fixes CVE-2018-6412.

Signed-off-by: Peter Malone <peter.malone@gmail.com>
Acked-by: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-30 07:49:04 +02:00
..
aty
video: fbdev: aty: do not leak uninitialized padding in clk to userspace
2017-10-05 09:41:48 +02:00
core
fbdev: color map copying bounds checking
2017-02-01 08:30:52 +01:00
exynos
fbdev: s6e8ax0: avoid unused function warnings
2018-02-25 11:03:46 +01:00
geode
video: fbdev: geode gxfb: use ioremap_wc() for framebuffer
2015-06-03 12:41:53 +03:00
i810
video: fbdev: i810: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:51 +03:00
intelfb
video: Use bool instead int pointer for get_opt_bool() argument
2018-02-25 11:03:45 +01:00
kyro
drivers/video/fbdev/kyrofb: Use arch_phys_wc_add() and pci_ioremap_wc_bar()
2015-08-25 09:59:44 +02:00
matrox
video: fbdev: matrox: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:49 +03:00
mb862xx
video: fbdev: mb862xx: Fix module autoload for OF platform driver
2015-09-24 14:35:36 +03:00
mbx
video/mbx: indent some if statements
2014-07-01 13:32:30 +03:00
mmp
video: fbdev/mmp: add MODULE_LICENSE
2018-02-25 11:03:37 +01:00
nvidia
video: fbdev: nvidia: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:50 +03:00
omap
Merge tag 'fbdev-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux
2015-11-10 10:00:09 -08:00
omap2
OMAPDSS: fix timings for VENC to match what omapdrm expects
2015-12-09 12:57:13 +02:00
riva
video: fbdev: rivafb: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:52 +03:00
savage
video: fbdev: savagefb: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:50 +03:00
sis
video: fbdev: sis: remove unused variable
2018-02-25 11:03:45 +01:00
vermilion
mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd
2015-11-06 17:50:42 -08:00
via
video: fbdev: via: remove possibly unused variables
2018-02-25 11:03:42 +01:00
68328fb.c
video: 68328fb: remove check for CONFIG_FB_68328_INVERT
2014-06-24 10:55:13 +03:00
acornfb.c
acornfb.h
amba-clcd-versatile.c
video: move Versatile CLCD helpers
2014-06-27 10:15:22 +02:00
amba-clcd.c
video: ARM CLCD: fix dma allocation size
2018-03-22 09:23:24 +01:00
amifb.c
Merge tag 'fbdev-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux
2015-06-23 16:23:30 -07:00
arcfb.c
arkfb.c
drivers/video/fbdev/arkfb.c: Use arch_phys_wc_add() and pci_iomap_wc()
2015-08-25 09:59:45 +02:00
asiliantfb.c
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
atafb.c
video/fbdev, asm/io.h: Remove ioremap_writethrough()
2015-06-07 15:28:57 +02:00
atafb.h
atmel_lcdfb.c
video: fbdev: atmel_lcdfb: fix display-timings lookup
2018-02-22 15:45:00 +01:00
au1100fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
au1100fb.h
MIPS: Alchemy: au1100fb: use clk framework
2014-07-30 14:10:39 +02:00
au1200fb.c
video: fbdev: au1200fb: Return an error code if a memory allocation fails
2017-12-20 10:04:57 +01:00
au1200fb.h
auo_k190x.c
fbdev: auo_k190x: avoid unused function warnings
2018-02-25 11:03:46 +01:00
auo_k190x.h
auo_k1900fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
auo_k1901fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
bf54x-lq043fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
bf537-lq035.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
bfin_adv7393fb.c
fb: adv7393: add missing semicolon
2014-07-01 13:18:38 +03:00
bfin_adv7393fb.h
bfin-lq035q1-fb.c
bfin-t350mcqb-fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
broadsheetfb.c
fbdev: broadsheetfb: fix memory leak
2015-09-30 10:33:57 +03:00
bt431.h
bt455.h
bw2.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
c2p_core.h
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
carminefb.c
carminefb.h
cg3.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
cg6.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
cg14.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
chipsfb.c
fbdev: Remove __init from chips_hw_init() to fix build failure
2014-08-26 12:48:34 +03:00
cirrusfb.c
clps711x-fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
clps711xfb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
cobalt_lcdfb.c
video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap
2017-08-06 19:19:46 -07:00
controlfb.c
powerpc: Move Power Macintosh drivers to generic byteswappers
2015-03-23 14:29:40 +11:00
controlfb.h
fbdev: controlfb: Add missing modes to fix out of bounds access
2017-12-20 10:04:57 +01:00
cyber2000fb.c
video: fbdev: cyber2000fb.c: use container_of to resolve cfb_info from fb_info
2014-09-30 13:06:01 +03:00
cyber2000fb.h
da8xx-fb.c
fbdev: da8xx-fb: fix videomodes of lcd panels
2016-05-04 14:48:51 -07:00
dnfb.c
edid.h
efifb.c
fbdev/efifb: Fix 16 color palette entry calculation
2016-10-28 03:01:29 -04:00
ep93xx-fb.c
ARM/fb: ep93xx: switch framebuffer to use modedb only
2015-08-13 12:25:44 +02:00
fb-puv3.c
drivers/video/fbdev/fb-puv3.c: Add header files for function unifb_mmap
2014-05-23 13:51:10 +03:00
ffb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
fm2fb.c
fsl-diu-fb.c
video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented
2015-12-09 12:57:06 +02:00
g364fb.c
gbefb.c
video: fbdev: gbefb: use arch_phys_wc_add() and devm_ioremap_wc()
2015-06-03 12:41:46 +03:00
goldfishfb.c
grvga.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
gxt4500.c
gxt4500: enable panning
2015-10-08 12:19:39 +03:00
hecubafb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
hgafb.c
video: hgafb: remove unneeded comparison
2015-01-26 14:43:06 +02:00
hitfb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
hpfb.c
video/fbdev, asm/io.h: Remove ioremap_writethrough()
2015-06-07 15:28:57 +02:00
hyperv_fb.c
drivers:hv: Move MMIO range picking from hyper_fb to hv_vmbus
2015-08-05 11:41:31 -07:00
i740_reg.h
i740fb.c
drivers/video/fbdev/i740fb: Use arch_phys_wc_add() and pci_ioremap_wc_bar()
2015-08-25 09:59:44 +02:00
igafb.c
imsttfb.c
fbdev: imsttfb: remove the dependency on PPC_OF
2015-03-17 20:04:31 +11:00
imxfb.c
video: fbdev: imxfb: Constify platform_device_id
2015-06-12 12:40:27 +03:00
jz4740_fb.c
Kconfig
fbdev: sis: enforce selection of at least one backend
2018-02-25 11:03:45 +01:00
leo.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
macfb.c
macmodes.c
macmodes.h
Makefile
staging: sm7xxfb: merge sm712fb with fbdev
2015-08-07 15:05:01 -07:00
maxinefb.c
metronomefb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
mx3fb.c
Merge tag 'driver-core-3.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2014-12-14 16:10:09 -08:00
mxsfb.c
video: fbdev: mxsfb: Constify platform_device_id
2015-06-12 12:40:27 +03:00
n411.c
neofb.c
video: fbdev: neofb: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:49 +03:00
nuc900fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
nuc900fb.h
ocfb.c
cleanup IORESOURCE_CACHEABLE vs ioremap()
2015-08-10 23:07:06 -04:00
offb.c
Revert "offb: Add palette hack for little endian"
2014-06-16 19:45:45 +10:00
p9100.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
platinumfb.c
powerpc: Move Power Macintosh drivers to generic byteswappers
2015-03-23 14:29:40 +11:00
platinumfb.h
pm2fb.c
video: fbdev: pm2fb: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:51 +03:00
pm3fb.c
video: fbdev: pm3fb: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:52 +03:00
pmag-aa-fb.c
pmag-ba-fb.c
video: fbdev: pmag-ba-fb: Remove bad `__init' annotation
2017-11-15 17:13:09 +01:00
pmagb-b-fb.c
ps3fb.c
pvr2fb.c
mm: gup: use get_user_pages_unlocked
2015-02-11 17:06:05 -08:00
pxa3xx-gcu.c
video: fbdev: pxa3xx_gcu: prepare the clocks
2015-08-10 12:25:43 +03:00
pxa3xx-gcu.h
pxa168fb.c
video: fbdev: pxa168fb: Use devm_clk_get
2015-09-01 13:55:32 +03:00
pxa168fb.h
pxafb.c
cpufreq: remove redundant CPUFREQ_INCOMPATIBLE notifier event
2015-09-01 15:50:38 +02:00
pxafb.h
q40fb.c
s1d13xxxfb.c
arch, drivers: don't include <asm/io.h> directly, use <linux/io.h> instead
2015-08-10 23:07:05 -04:00
s3c2410fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
s3c2410fb.h
s3c-fb.c
video: fbdev: s3c-fb: Constify platform_device_id
2015-08-21 08:56:19 +03:00
s3fb.c
drivers/video/fbdev/s3fb: Use arch_phys_wc_add() and pci_iomap_wc()
2015-08-25 09:59:45 +02:00
sa1100fb.c
cpufreq: remove redundant CPUFREQ_INCOMPATIBLE notifier event
2015-09-01 15:50:38 +02:00
sa1100fb.h
ARM: 8244/1: fbdev: sa1100fb: make use of device clock
2014-12-05 16:30:25 +00:00
sbuslib.c
fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
2018-05-30 07:49:04 +02:00
sbuslib.h
sh7760fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
sh_mipi_dsi.c
sh_mobile_hdmi.c
fbdev: sh_mobile_hdmi: Re-init regs before irq re-enable on resume
2014-09-30 13:42:13 +03:00
sh_mobile_lcdcfb.c
fbdev: sh_mobile_lcdc: Fix destruction of uninitialized mutex
2015-04-07 16:24:15 +03:00
sh_mobile_lcdcfb.h
sh_mobile_meram.c
Merge tag 'pm+acpi-3.19-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
2014-12-18 20:28:33 -08:00
simplefb.c
simplefb: Include clk.h
2015-07-20 10:52:46 -07:00
skeletonfb.c
sm501fb.c
sm501fb: don't return zero on failure path in sm501fb_start()
2018-03-24 10:58:46 +01:00
sm712.h
staging: sm7xxfb: merge sm712fb with fbdev
2015-08-07 15:05:01 -07:00
sm712fb.c
fbdev: sm712fb: avoid unused function warnings
2018-02-25 11:03:47 +01:00
smscufx.c
video: smscufx: Deletion of unnecessary checks before the function call "vfree"
2014-12-04 16:16:01 +02:00
ssd1307fb.c
fbdev: ssd1307fb: add ssd1309 support
2015-09-24 14:10:26 +03:00
sstfb.c
sticore.h
stifb.c
arch, drivers: don't include <asm/io.h> directly, use <linux/io.h> instead
2015-08-10 23:07:05 -04:00
sunxvr500.c
sunxvr1000.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
sunxvr2500.c
tcx.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
tdfxfb.c
video: fbdev: tdfxfb: use arch_phys_wc_add() and ioremap_wc()
2015-06-03 12:41:52 +03:00
tgafb.c
tmiofb.c
tridentfb.c
Merge tag 'fbdev-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux
2015-11-10 10:00:09 -08:00
udlfb.c
video: fbdev: udlfb: Fix buffer on stack
2018-03-24 10:58:46 +01:00
uvesafb.c
kernel/params: constify struct kernel_param_ops uses
2015-05-28 11:32:10 +09:30
valkyriefb.c
video: fbdev: valkyriefb.c: use container_of to resolve fb_info_valkyrie from fb_info
2014-09-30 13:06:01 +03:00
valkyriefb.h
vesafb.c
video: fbdev: vesafb: use arch_phys_wc_add()
2015-06-16 09:42:11 +03:00
vfb.c
vfb: fix video mode and line_length being set when loaded
2018-04-13 19:50:13 +02:00
vga16fb.c
vt8500lcdfb.c
video: vt8500lcdfb: remove unneeded continue
2015-01-13 13:35:04 +02:00
vt8500lcdfb.h
vt8623fb.c
drivers/video/fbdev/vt8623fb: Use arch_phys_wc_add() and pci_iomap_wc()
2015-08-25 09:59:45 +02:00
w100fb.c
w100fb.h
wm8505fb_regs.h
wm8505fb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
wmt_ge_rops.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00
wmt_ge_rops.h
xen-fbfront.c
xen, fbfront: fix connecting to backend
2017-04-21 09:30:06 +02:00
xilinxfb.c
video: fbdev: drop owner assignment from platform_drivers
2014-10-20 16:21:51 +02:00