freebsd-nq/sys/dev/drm
Ed Maste 7976b9c5e0 Correct signedness bug in drm_modeset_ctl
drm_modeset_ctl() takes a signed in from userland, does a boundscheck,
and then uses it to index into a structure and write to it.  The
boundscheck only checks upper bound, and never checks for nagative
values.  If the int coming from userland is negative [after conversion]
it will bypass the boundscheck, perform a negative index into an array
and write to it, causing memory corruption.

Note that this is in the "old" drm driver; this issue does not exist
in drm2.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:	cem
MFC after:	1 day
Sponsored by:	The FreeBSD Foundation
2018-03-22 01:00:55 +00:00
..
ati_pcigart.c
drm_agpsupport.c
drm_atomic.h
drm_auth.c
drm_bufs.c Fix kernel memory disclosure in drm_infobufs 2018-03-21 23:51:14 +00:00
drm_context.c
drm_dma.c
drm_drawable.c
drm_drv.c
drm_fops.c
drm_hashtab.c
drm_hashtab.h
drm_internal.h
drm_ioctl.c
drm_irq.c Correct signedness bug in drm_modeset_ctl 2018-03-22 01:00:55 +00:00
drm_linux_list.h
drm_lock.c
drm_memory.c
drm_mm.c
drm_mm.h
drm_pci.c
drm_pciids.h
drm_sarea.h
drm_scatter.c Use atop() instead of OFF_TO_IDX() for convertion of addresses or 2017-03-14 19:39:17 +00:00
drm_sman.c
drm_sman.h
drm_sysctl.c
drm_vm.c
drm.h
drmP.h Add PNP metadata to more drivers 2017-09-26 23:23:58 +00:00
mach64_dma.c
mach64_drm.h
mach64_drv.c
mach64_drv.h
mach64_irq.c
mach64_state.c
mga_dma.c
mga_drm.h
mga_drv.c
mga_drv.h
mga_irq.c
mga_state.c kernel: Fix several typos and minor errors 2017-12-27 03:23:21 +00:00
mga_ucode.h
mga_warp.c
r128_cce.c
r128_drm.h
r128_drv.c
r128_drv.h
r128_irq.c
r128_state.c
savage_bci.c
savage_drm.h
savage_drv.c
savage_drv.h
savage_state.c
sis_drm.h
sis_drv.c
sis_drv.h
sis_ds.c
sis_ds.h
sis_mm.c
tdfx_drv.c
tdfx_drv.h
via_3d_reg.h
via_dma.c
via_dmablit.c
via_dmablit.h
via_drm.h
via_drv.c
via_drv.h
via_irq.c
via_map.c
via_mm.c
via_verifier.c
via_verifier.h
via_video.c