On Iau, 2004-01-08 at 20:08, Robert T. Johnson wrote: > Both of these bugs look exploitable. The vt.c patch is > self-explanatory. > > In gamma_dma.c, argument "d" to gamma_dma_priority() points to a > structure copied from userspace (see gamma_dma()). That means that > d->send_indices is a pointer under user control, so it shouldn't be > dereferenced. The patch just safely copies the contents to a kernel > buffer and uses that instead. Ditto for d->send_sizes.
Fortunately (in this case) Gamma hasn't worked since about 1999. The SiS DRM driver in XFree 4.4 snapshot is also exploitable although the 4.3 one seems ok. If you feed the memory allocator random crap it oopses. With 4.3.x (ie the code in 2.4.x) it doesn't oops but requires sis_fb. With 4.3.99... it oopses if I dont have sisfb. > Also, I notice the drm code uses it's own memory allocation wrappers. I > don't know all the details of the drm code, so I just used kmalloc. > You'll probably want to change those two calls after applying the > patch. Sorry for the inconvenience. It comes out as kmalloc, but its done so it will be portable to other systems. So on *BSD it comes out appropriately too. Incidentally the gamme code appears to have maths overflow problems in the kmalloc paths too. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html -- _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel
