On Thu, 2004-01-08 at 15:52, Alan Cox wrote: > On Iau, 2004-01-08 at 20:08, Robert T. Johnson wrote: > > Both of these bugs look exploitable. The vt.c patch is > > self-explanatory. > > > > In gamma_dma.c, argument "d" to gamma_dma_priority() points to a > > structure copied from userspace (see gamma_dma()). That means that > > d->send_indices is a pointer under user control, so it shouldn't be > > dereferenced. The patch just safely copies the contents to a kernel > > buffer and uses that instead. Ditto for d->send_sizes. > > Fortunately (in this case) Gamma hasn't worked since about 1999. The SiS > DRM driver in XFree 4.4 snapshot is also exploitable although the 4.3 > one seems ok. If you feed the memory allocator random crap it oopses. > With 4.3.x (ie the code in 2.4.x) it doesn't oops but requires sis_fb. > With 4.3.99... it oopses if I dont have sisfb.
Uhoh, the SiS is my fault. I'll take a look soon. > > Also, I notice the drm code uses it's own memory allocation wrappers. I > > don't know all the details of the drm code, so I just used kmalloc. > > You'll probably want to change those two calls after applying the > > patch. Sorry for the inconvenience. > > It comes out as kmalloc, but its done so it will be portable to other > systems. So on *BSD it comes out appropriately too. Actually, they were wrapped originally because there was a bunch of debugging and statistics code for memory allocation. That's been axed because nobody actually used it, so now they're just left as functions wrapping the OS's malloc/free. -- Eric Anholt [EMAIL PROTECTED] http://people.freebsd.org/~anholt/ [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html -- _______________________________________________ Dri-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/dri-devel
