iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/video/fbdev
History
Tomi Valkeinen 1bafcbf59f fbdev/omapfb: fix omapfb_memory_read infoleak 
OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:

- The user provided width and height could be large enough to overflow
  the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
  which might contain sensitive kernel information.

Fix these by limiting the width & height parameters, and only copying
the amount of data that we actually received from the LCD.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2018-09-26 18:11:22 +02:00
..
aty
video: fbdev: aty: radeon_pm: Replace mdelay with msleep in radeonfb_pci_suspend
2018-04-24 18:11:21 +02:00
core
fbcon: Do not takeover the console from atomic context
2018-08-10 17:23:02 +02:00
geode
x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
2018-02-15 01:15:52 +01:00
i810
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
intelfb
video: fbdev: intelfb: deprecate pci_get_bus_and_slot()
2018-01-17 08:16:46 -06:00
kyro
video: fbdev: kyro: constify pci_device_id.
2017-08-01 17:20:42 +02:00
matrox
video: matroxfb: Delete an error message for a failed memory allocation in matroxfb_crtc2_probe()
2018-03-28 16:34:28 +02:00
mb862xx
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
mbx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mmp
fbdev changes for v4.18:
2018-06-17 05:00:24 +09:00
nvidia
fbdev changes for v4.18:
2018-06-17 05:00:24 +09:00
omap
fbdev: omapfb: off by one in omapfb_register_client()
2018-07-24 19:11:28 +02:00
omap2
fbdev/omapfb: fix omapfb_memory_read infoleak
2018-09-26 18:11:22 +02:00
riva
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
savage
video: fbdev: savage: Replace mdelay with usleep_range in savage_init_hw
2018-04-24 18:11:21 +02:00
sis
video: fbdev: sis: avoid mismatched prototypes
2018-03-12 17:06:52 +01:00
vermilion
video: fbdev: vermilion: use 64-bit arithmetic instead of 32-bit
2018-03-12 17:06:54 +01:00
via
video: fbdev: mark expected switch fall-throughs
2018-07-24 19:11:28 +02:00
68328fb.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
acornfb.c
drivers/video/fbdev: Fixing coding guidelines in acornfb.c
2017-04-07 17:03:24 +02:00
acornfb.h
amba-clcd-nomadik.c
fbdev changes for v4.11:
2017-02-25 13:20:22 -08:00
amba-clcd-nomadik.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
amba-clcd-versatile.c
video: ARM CLCD: use panel device node for panel initialization
2017-01-30 17:39:48 +01:00
amba-clcd-versatile.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
amba-clcd.c
video: ARM CLCD: Improve a size determination in clcdfb_probe()
2018-03-28 16:34:29 +02:00
amifb.c
fb: amifb: fix build warnings when not builtin
2018-07-31 13:06:58 +02:00
arcfb.c
Annotate hardware config module parameters in drivers/video/
2017-04-20 12:02:32 +01:00
arkfb.c
video: fbdev: arkfb: constify pci_device_id.
2017-08-01 17:20:42 +02:00
asiliantfb.c
video: fbdev: asiliantfb: constify pci_device_id.
2017-08-01 17:20:41 +02:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atafb.c
atafb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atmel_lcdfb.c
video: fbdev: atmel_lcdfb: convert to use GPIO descriptors
2018-03-12 17:06:52 +01:00
au1100fb.c
fbdev changes for v4.18:
2018-06-17 05:00:24 +09:00
au1100fb.h
au1200fb.c
video: fbdev: fix spelling mistake: "frambuffer" -> "framebuffer"
2018-05-15 12:41:11 +02:00
au1200fb.h
fbdev: au1200fb: delete duplicate header contents
2018-01-04 16:53:49 +01:00
broadsheetfb.c
treewide: kzalloc() -> kcalloc()
2018-06-12 16:19:22 -07:00
bt431.h
bt455.h
bw2.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
c2p_core.h
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
carminefb.c
carminefb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
cg3.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
cg6.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
cg14.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
chipsfb.c
video/chips: constify fb_fix_screeninfo and fb_var_screeninfo structures
2017-08-01 17:20:39 +02:00
cirrusfb.c
video: fbdev: cirrusfb: mark expected switch fall-throughs
2017-11-09 18:09:32 +01:00
clps711x-fb.c
video: clps711x-fb: Changing the compatibility string to match with the smallest supported chip
2016-07-06 17:38:19 +02:00
clps711xfb.c
cobalt_lcdfb.c
video: cobalt_lcdfb: constify fb_fix_screeninfo structure
2017-08-01 17:20:39 +02:00
controlfb.c
controlfb.h
fbdev: controlfb: Add missing modes to fix out of bounds access
2017-11-09 18:09:33 +01:00
cyber2000fb.c
video: fbdev: make fb_videomode const
2017-09-04 16:00:49 +02:00
cyber2000fb.h
da8xx-fb.c
fbdev: da8xx-fb: Drop unnecessary static
2017-08-01 17:20:39 +02:00
dnfb.c
video/fbdev/dnfb: Use common error handling code in dnfb_probe()
2017-11-09 18:09:31 +01:00
edid.h
efifb.c
fbdev changes for v4.19:
2018-08-23 15:44:58 -07:00
ep93xx-fb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
fb-puv3.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
ffb.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
fm2fb.c
video: fm2fb: constify zorro_device_id
2017-09-04 16:00:49 +02:00
fsl-diu-fb.c
video: fbdev: fsl-diu-fb: Remove VLA usage
2018-07-24 19:11:26 +02:00
g364fb.c
gbefb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
goldfishfb.c
video: goldfishfb: fix memory leak on driver remove
2018-07-24 19:11:27 +02:00
grvga.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
gxt4500.c
hecubafb.c
video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures
2016-09-27 11:16:35 +03:00
hgafb.c
video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures
2016-09-27 11:16:35 +03:00
hitfb.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
hpfb.c
hpfb: use probe_kernel_read()
2017-05-27 15:41:17 -04:00
hyperv_fb.c
use the new async probing feature for the hyperv drivers
2018-07-03 13:02:28 +02:00
i740_reg.h
i740fb.c
video: fbdev: mark expected switch fall-throughs
2018-07-24 19:11:28 +02:00
imsttfb.c
video: fbdev: imsttfb: constify pci_device_id.
2017-08-01 17:20:43 +02:00
imxfb.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
jz4740_fb.c
fbdev: jz4740-fb: Let the pinctrl driver configure the pins
2017-05-22 17:22:06 +02:00
Kconfig
video: fbdev: via: allow COMPILE_TEST build
2018-05-15 12:41:10 +02:00
leo.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
macfb.c
nubus: Adopt standard linked list implementation
2018-01-16 16:47:29 +01:00
macmodes.c
macmodes.h
Makefile
video: fbdev: remove unused sh_mobile_meram driver
2018-05-14 15:47:30 +02:00
maxinefb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
metronomefb.c
video: fbdev: metronomefb: fix some off by one bugs
2018-07-24 19:11:26 +02:00
mx3fb.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
mxsfb.c
treewide: devm_kzalloc() -> devm_kcalloc()
2018-06-12 16:19:22 -07:00
n411.c
Annotate hardware config module parameters in drivers/video/
2017-04-20 12:02:32 +01:00
neofb.c
video: fbdev: neofb: constify pci_device_id.
2017-08-01 17:20:44 +02:00
nuc900fb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
nuc900fb.h
ocfb.c
offb.c
video: offb: Deallocate the color map
2018-03-12 17:06:54 +01:00
p9100.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
platinumfb.c
platinumfb.h
pm2fb.c
video: fbdev: mark expected switch fall-throughs
2018-07-24 19:11:28 +02:00
pm3fb.c
video: fbdev: pm3fb: constify pci_device_id.
2017-08-01 17:20:45 +02:00
pmag-aa-fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
pmag-ba-fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
pmagb-b-fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
ps3fb.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
pvr2fb.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
pxa3xx-gcu.c
video: fbdev: pxa3xx_gcu: add devicetree bindings
2018-07-24 19:11:25 +02:00
pxa3xx-gcu.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
pxa168fb.c
pxa168fb: prepare the clock
2018-09-26 18:11:22 +02:00
pxa168fb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
pxafb.c
video: fbdev: pxafb: Add support for lcd-supply regulator
2018-07-24 19:11:26 +02:00
pxafb.h
video: fbdev: pxafb: Add support for lcd-supply regulator
2018-07-24 19:11:26 +02:00
q40fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
s1d13xxxfb.c
fbdev: s1d13xxxfb: remove m32r specific hacks
2018-03-26 15:56:46 +02:00
s3c2410fb.c
video: s3c2410fb: Register cpufreq notifier only on S3C24xx
2016-08-11 17:54:55 +03:00
s3c2410fb.h
video: s3c2410fb: Register cpufreq notifier only on S3C24xx
2016-08-11 17:54:55 +03:00
s3c-fb.c
video: fbdev: s3c-fb: remove dead platform code for Exynos and S5PV210 platforms
2018-03-28 16:34:29 +02:00
s3fb.c
video: fbdev: s3fb: constify pci_device_id.
2017-08-01 17:20:45 +02:00
sa1100fb.c
video: sa1100fb: move pseudo palette into sa1100fb_info structure
2017-10-17 16:01:13 +02:00
sa1100fb.h
video: sa1100fb: move pseudo palette into sa1100fb_info structure
2017-10-17 16:01:13 +02:00
sbuslib.c
fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
2018-03-07 14:00:34 +01:00
sbuslib.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sh7760fb.c
sh_mobile_lcdcfb.c
video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support
2018-05-14 15:47:30 +02:00
sh_mobile_lcdcfb.h
video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support
2018-05-14 15:47:30 +02:00
simplefb.c
video: fbdev: simplefb: Stop including <linux/clk-provider.h>
2018-07-03 17:43:09 +02:00
skeletonfb.c
docs: fix broken references with multiple hints
2018-06-15 18:10:01 -03:00
sm501fb.c
video: sm501fb: Improve a size determination in sm501fb_probe()
2018-04-26 12:24:18 +02:00
sm712.h
sm712fb.c
video: fbdev: sm712fb.c: fixed constant-left comparison warning
2017-08-01 17:20:38 +02:00
smscufx.c
video: smscufx: Delete an error message for a failed memory allocation in ufx_realloc_framebuffer()
2018-03-28 16:34:28 +02:00
ssd1307fb.c
video: ssd1307fb: Improve a size determination in ssd1307fb_probe()
2018-03-28 16:34:28 +02:00
sstfb.c
sticore.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
stifb.c
fbdev changes for v4.17:
2018-04-10 10:20:00 -07:00
sunxvr500.c
video: fbdev: sunxvr500: constify pci_device_id.
2017-08-01 17:20:43 +02:00
sunxvr1000.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
sunxvr2500.c
video: fbdev: sunxvr2500: constify pci_device_id.
2017-08-01 17:20:41 +02:00
tcx.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
tdfxfb.c
video: fbdev: mark expected switch fall-throughs
2018-07-24 19:11:28 +02:00
tgafb.c
tmiofb.c
tridentfb.c
video: fbdev: tridentfb: remove deadcode on unreachable case statement
2018-07-24 19:11:28 +02:00
udlfb.c
udlfb: use spin_lock_irq instead of spin_lock_irqsave
2018-07-25 15:41:57 +02:00
uvesafb.c
treewide: kzalloc() -> kcalloc()
2018-06-12 16:19:22 -07:00
valkyriefb.c
valkyriefb.h
vesafb.c
vfb.c
vfb: fix video mode and line_length being set when loaded
2018-01-04 16:53:50 +01:00
vga16fb.c
video: fbdev: remove redundant self assignment of 'height'
2017-12-29 19:48:43 +01:00
vt8500lcdfb.c
video/fbdev/vt8500lcdfb: Delete an error message for a failed memory allocation in vt8500lcd_probe()
2017-12-29 19:48:44 +01:00
vt8500lcdfb.h
vt8623fb.c
video: fbdev: vt8623fb: constify vt8623_timing_regs
2017-08-18 19:56:40 +02:00
w100fb.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
w100fb.h
wm8505fb_regs.h
wm8505fb.c
video/fbdev/wm8505fb: Delete an error message for a failed memory allocation in wm8505fb_probe()
2017-12-29 19:48:43 +01:00
wmt_ge_rops.c
wmt_ge_rops.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xen-fbfront.c
treewide: Use array_size() in vmalloc()
2018-06-12 16:19:22 -07:00
xilinxfb.c
video: fbdev: Fix multiple style issues in xilinxfb
2017-08-21 16:49:57 +02:00