d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Correct signedness bug in drm_modeset_ctl

Browse Source 
drm_modeset_ctl() takes a signed in from userland, does a boundscheck,
and then uses it to index into a structure and write to it.  The
boundscheck only checks upper bound, and never checks for nagative
values.  If the int coming from userland is negative [after conversion]
it will bypass the boundscheck, perform a negative index into an array
and write to it, causing memory corruption.

Note that this is in the "old" drm driver; this issue does not exist
in drm2.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:	cem
MFC after:	1 day
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2018-03-22 01:00:55 +00:00
parent 08a7e74c7c
commit 7976b9c5e0
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/dev/drm/drm_irq.c
View File

@ -351,7 +351,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data,
goto out;
crtc = modeset->crtc;
if (crtc >= dev->num_crtcs) {
if (crtc < 0 || crtc >= dev->num_crtcs) {
ret = EINVAL;
goto out;
}