iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/video/fbdev
History
Peter Malone 250c6c49e3 fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 
Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
sbusfb_ioctl_helper().

'index' is defined as an int in sbusfb_ioctl_helper().
We retrieve this from the user:
if (get_user(index, &c->index) ||
    __get_user(count, &c->count) ||
    __get_user(ured, &c->red) ||
    __get_user(ugreen, &c->green) ||
    __get_user(ublue, &c->blue))
       return -EFAULT;

and then we use 'index' in the following way:
red = cmap->red[index + i] >> 8;
green = cmap->green[index + i] >> 8;
blue = cmap->blue[index + i] >> 8;

This is a classic information leak vulnerability. 'index' should be
an unsigned int, given its usage above.

This patch is straight-forward; it changes 'index' to unsigned int
in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.

This patch fixes CVE-2018-6412.

Signed-off-by: Peter Malone <peter.malone@gmail.com>
Acked-by: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2018-03-07 14:00:34 +01:00
..
aty
fbdev: radeon: use ktime_get() for HZ calibration
2018-01-04 16:53:49 +01:00
core
fbcon: Remove dmi quirk table
2017-12-04 23:03:22 +01:00
geode
x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
2018-02-15 01:15:52 +01:00
i810
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
intelfb
video: fbdev: intelfb: deprecate pci_get_bus_and_slot()
2018-01-17 08:16:46 -06:00
kyro
video: fbdev: kyro: constify pci_device_id.
2017-08-01 17:20:42 +02:00
matrox
fbdev changes for v4.15:
2017-11-20 21:50:24 -10:00
mb862xx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mbx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mmp
video: fbdev/mmp: add MODULE_LICENSE
2018-01-15 17:04:22 +01:00
nvidia
video: fbdev: nvidia: deprecate pci_get_bus_and_slot()
2018-01-17 08:16:46 -06:00
omap
fbdev changes for v4.15:
2017-11-20 21:50:24 -10:00
omap2
video: omapfb: fix missing #includes
2018-02-09 14:43:49 +01:00
riva
video: fbdev: riva: deprecate pci_get_bus_and_slot()
2018-01-17 08:16:46 -06:00
savage
video: fbdev: savage: constify pci_device_id.
2017-08-01 17:20:42 +02:00
sis
video: fbdev: sis_main: mark expected switch fall-throughs
2017-11-09 18:09:33 +01:00
vermilion
video: fbdev: make fb_videomode const
2017-09-04 16:00:49 +02:00
via
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
68328fb.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
acornfb.c
drivers/video/fbdev: Fixing coding guidelines in acornfb.c
2017-04-07 17:03:24 +02:00
acornfb.h
amba-clcd-nomadik.c
fbdev changes for v4.11:
2017-02-25 13:20:22 -08:00
amba-clcd-nomadik.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
amba-clcd-versatile.c
video: ARM CLCD: use panel device node for panel initialization
2017-01-30 17:39:48 +01:00
amba-clcd-versatile.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
amba-clcd.c
video: ARM CLCD: constify amba_id
2017-09-04 16:00:49 +02:00
amifb.c
video: fbdev: amifb: remove impossible condition
2017-02-08 16:44:00 +01:00
arcfb.c
Annotate hardware config module parameters in drivers/video/
2017-04-20 12:02:32 +01:00
arkfb.c
video: fbdev: arkfb: constify pci_device_id.
2017-08-01 17:20:42 +02:00
asiliantfb.c
video: fbdev: asiliantfb: constify pci_device_id.
2017-08-01 17:20:41 +02:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atafb.c
fbdev: kill fb_rotate
2016-02-26 13:28:35 +02:00
atafb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atmel_lcdfb.c
video: fbdev: atmel_lcdfb: fix display-timings lookup
2017-12-29 19:48:43 +01:00
au1100fb.c
au1100fb: remove a bogus dma_free_nonconsistent call
2017-06-28 06:54:57 -07:00
au1100fb.h
au1200fb.c
video: fbdev: au1200fb: Style clean up
2017-11-09 18:09:30 +01:00
au1200fb.h
fbdev: au1200fb: delete duplicate header contents
2018-01-04 16:53:49 +01:00
auo_k190x.c
fbdev changes for v4.16:
2018-02-07 13:10:43 -08:00
auo_k190x.h
auo_k1900fb.c
auo_k1901fb.c
bf54x-lq043fb.c
bf537-lq035.c
fbdev: kill fb_rotate
2016-02-26 13:28:35 +02:00
bfin_adv7393fb.c
fb: adv7393: off by one in probe function
2016-08-30 12:06:12 +03:00
bfin_adv7393fb.h
fbdev/bfin_adv7393fb: move DRIVER_NAME before its first use
2016-08-02 19:35:05 -04:00
bfin-lq035q1-fb.c
video: bfin-lq035q1-fb: constify dev_pm_ops
2017-08-01 17:20:40 +02:00
bfin-t350mcqb-fb.c
broadsheetfb.c
fbdev: broadsheetfb: fix memory leak
2015-09-30 10:33:57 +03:00
bt431.h
video: fbdev: bt431: Correct cursor format control macro
2016-02-26 13:06:11 +02:00
bt455.h
video: fbdev: pmag-ba-fb: Optimize Bt455 colormap addressing
2016-02-26 13:06:11 +02:00
bw2.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
c2p_core.h
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
carminefb.c
carminefb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
cg3.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
cg6.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
cg14.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
chipsfb.c
video/chips: constify fb_fix_screeninfo and fb_var_screeninfo structures
2017-08-01 17:20:39 +02:00
cirrusfb.c
video: fbdev: cirrusfb: mark expected switch fall-throughs
2017-11-09 18:09:32 +01:00
clps711x-fb.c
video: clps711x-fb: Changing the compatibility string to match with the smallest supported chip
2016-07-06 17:38:19 +02:00
clps711xfb.c
cobalt_lcdfb.c
video: cobalt_lcdfb: constify fb_fix_screeninfo structure
2017-08-01 17:20:39 +02:00
controlfb.c
powerpc: Move Power Macintosh drivers to generic byteswappers
2015-03-23 14:29:40 +11:00
controlfb.h
fbdev: controlfb: Add missing modes to fix out of bounds access
2017-11-09 18:09:33 +01:00
cyber2000fb.c
video: fbdev: make fb_videomode const
2017-09-04 16:00:49 +02:00
cyber2000fb.h
da8xx-fb.c
fbdev: da8xx-fb: Drop unnecessary static
2017-08-01 17:20:39 +02:00
dnfb.c
video/fbdev/dnfb: Use common error handling code in dnfb_probe()
2017-11-09 18:09:31 +01:00
edid.h
efifb.c
efifb: Set info->fbcon_rotate_hint based on drm_get_panel_orientation_quirk
2017-12-04 23:03:21 +01:00
ep93xx-fb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
fb-puv3.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
ffb.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
fm2fb.c
video: fm2fb: constify zorro_device_id
2017-09-04 16:00:49 +02:00
fsl-diu-fb.c
video: fbdev: fsl-diu-fb: constify mfb_template and fsl_diu_match.
2017-07-04 17:47:22 +02:00
g364fb.c
gbefb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
goldfishfb.c
video: goldfishfb: Add support for device tree bindings
2017-11-09 18:09:31 +01:00
grvga.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
gxt4500.c
gxt4500: enable panning
2015-10-08 12:19:39 +03:00
hecubafb.c
video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures
2016-09-27 11:16:35 +03:00
hgafb.c
video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures
2016-09-27 11:16:35 +03:00
hitfb.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
hpfb.c
hpfb: use probe_kernel_read()
2017-05-27 15:41:17 -04:00
hyperv_fb.c
drivers:hv: Use new vmbus_mmio_free() from client drivers.
2016-04-30 14:01:37 -07:00
i740_reg.h
i740fb.c
video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures
2016-09-27 11:16:35 +03:00
imsttfb.c
video: fbdev: imsttfb: constify pci_device_id.
2017-08-01 17:20:43 +02:00
imxfb.c
video: fbdev: imxfb: use after free in imxfb_remove()
2017-07-31 18:45:41 +02:00
jz4740_fb.c
fbdev: jz4740-fb: Let the pinctrl driver configure the pins
2017-05-22 17:22:06 +02:00
Kconfig
Kbuild updates for v4.16 (2nd)
2018-02-09 19:32:41 -08:00
leo.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
macfb.c
nubus: Adopt standard linked list implementation
2018-01-16 16:47:29 +01:00
macmodes.c
macmodes.h
Makefile
fbdev changes for v4.15:
2017-11-20 21:50:24 -10:00
maxinefb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
metronomefb.c
lib/vsprintf.c: remove %Z support
2017-02-27 18:43:47 -08:00
mx3fb.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
mxsfb.c
fbdev: mxsfb: use framebuffer_alloc in the correct way
2018-01-15 17:04:22 +01:00
n411.c
Annotate hardware config module parameters in drivers/video/
2017-04-20 12:02:32 +01:00
neofb.c
video: fbdev: neofb: constify pci_device_id.
2017-08-01 17:20:44 +02:00
nuc900fb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
nuc900fb.h
ocfb.c
ocfb: fix tgdel and tvdel timing parameters
2016-01-29 13:34:07 +02:00
offb.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
p9100.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
platinumfb.c
powerpc: Move Power Macintosh drivers to generic byteswappers
2015-03-23 14:29:40 +11:00
platinumfb.h
pm2fb.c
video: fbdev: pm2fb: constify pci_device_id.
2017-08-01 17:20:43 +02:00
pm3fb.c
video: fbdev: pm3fb: constify pci_device_id.
2017-08-01 17:20:45 +02:00
pmag-aa-fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
pmag-ba-fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
pmagb-b-fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
ps3fb.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
pvr2fb.c
pvr2fs: use get_user_pages_fast()
2017-09-22 23:14:36 -04:00
pxa3xx-gcu.c
fbdev: pxa3xx: use ktime_get_ts64 for time stamps
2018-01-04 16:53:49 +01:00
pxa3xx-gcu.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
pxa168fb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
pxa168fb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
pxafb.c
video: fbdev: pxafb: Handle return value of clk_prepare_enable
2017-06-14 17:40:56 +02:00
pxafb.h
video: fbdev: pxafb: loosen the platform data bond
2015-12-15 15:41:24 +02:00
q40fb.c
video: fbdev: make fb_var_screeninfo const
2017-09-04 16:00:50 +02:00
s1d13xxxfb.c
video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures
2016-09-27 11:16:35 +03:00
s3c2410fb.c
video: s3c2410fb: Register cpufreq notifier only on S3C24xx
2016-08-11 17:54:55 +03:00
s3c2410fb.h
video: s3c2410fb: Register cpufreq notifier only on S3C24xx
2016-08-11 17:54:55 +03:00
s3c-fb.c
dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc()
2016-03-09 14:57:51 +01:00
s3fb.c
video: fbdev: s3fb: constify pci_device_id.
2017-08-01 17:20:45 +02:00
sa1100fb.c
video: sa1100fb: move pseudo palette into sa1100fb_info structure
2017-10-17 16:01:13 +02:00
sa1100fb.h
video: sa1100fb: move pseudo palette into sa1100fb_info structure
2017-10-17 16:01:13 +02:00
sbuslib.c
fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
2018-03-07 14:00:34 +01:00
sbuslib.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sh7760fb.c
sh_mobile_lcdcfb.c
video: fbdev: sh_mobile_lcdcfb: constify sh_mobile_lcdc_bl_ops.
2017-06-14 17:40:57 +02:00
sh_mobile_lcdcfb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sh_mobile_meram.c
More ACPI and power management updates for 3.19-rc1
2014-12-18 20:28:33 -08:00
simplefb.c
video: fbdev: simplefb: Separate clk / regulator get and enable steps
2017-01-11 17:09:50 +01:00
skeletonfb.c
video: fbdev: annotate fb_fix_screeninfo with const and __initconst
2017-09-04 16:00:49 +02:00
sm501fb.c
video: fbdev: sm501fb: fix potential null pointer dereference on fbi
2017-11-17 17:21:48 +01:00
sm712.h
staging: sm7xxfb: merge sm712fb with fbdev
2015-08-07 15:05:01 -07:00
sm712fb.c
video: fbdev: sm712fb.c: fixed constant-left comparison warning
2017-08-01 17:20:38 +02:00
smscufx.c
video: smscufx: Improve a size determination in two functions
2017-12-29 19:48:44 +01:00
ssd1307fb.c
fbdev/ssd1307fb: fix optional VBAT support
2017-04-07 17:28:23 +02:00
sstfb.c
sticore.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
stifb.c
video: fbdev: stifb: handle NULL return value from ioremap_nocache
2017-01-30 17:39:49 +01:00
sunxvr500.c
video: fbdev: sunxvr500: constify pci_device_id.
2017-08-01 17:20:43 +02:00
sunxvr1000.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
sunxvr2500.c
video: fbdev: sunxvr2500: constify pci_device_id.
2017-08-01 17:20:41 +02:00
tcx.c
video: fbdev: Convert to using %pOF instead of full_name
2017-08-07 17:22:13 +02:00
tdfxfb.c
video: fbdev: tdfx: constify pci_device_id.
2017-08-01 17:20:43 +02:00
tgafb.c
tmiofb.c
tridentfb.c
video: fbdev: tridentfb: constify pci_device_id.
2017-08-01 17:20:41 +02:00
udlfb.c
video: udlfb: Switch from the pr_*() to the dev_*() logging functions
2018-01-16 16:35:20 +01:00
uvesafb.c
fbdev changes for v4.14:
2017-09-14 13:33:33 -07:00
valkyriefb.c
valkyriefb.h
vesafb.c
video: fbdev: vesafb: use arch_phys_wc_add()
2015-06-16 09:42:11 +03:00
vfb.c
vfb: fix video mode and line_length being set when loaded
2018-01-04 16:53:50 +01:00
vga16fb.c
video: fbdev: remove redundant self assignment of 'height'
2017-12-29 19:48:43 +01:00
vt8500lcdfb.c
video/fbdev/vt8500lcdfb: Delete an error message for a failed memory allocation in vt8500lcd_probe()
2017-12-29 19:48:44 +01:00
vt8500lcdfb.h
vt8623fb.c
video: fbdev: vt8623fb: constify vt8623_timing_regs
2017-08-18 19:56:40 +02:00
w100fb.c
treewide: Use DEVICE_ATTR_RW
2018-01-09 16:33:31 +01:00
w100fb.h
wm8505fb_regs.h
wm8505fb.c
video/fbdev/wm8505fb: Delete an error message for a failed memory allocation in wm8505fb_probe()
2017-12-29 19:48:43 +01:00
wmt_ge_rops.c
wmt_ge_rops.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xen-fbfront.c
fbdev changes for v4.12:
2017-05-11 11:12:26 -07:00
xilinxfb.c
video: fbdev: Fix multiple style issues in xilinxfb
2017-08-21 16:49:57 +02:00