On Wed, Jan 14, 2004 at 01:39:39PM +0000, Alan Cox wrote:
>I think this is about the minimal fix needed. I'm not entirely happy
>with the limits picked, especially for spans, but maybe someone with
>an R128 can verify it is ok, or change the code to loop each chunk
>of pixels/span data.
I've attached a version of the patch relative to the XFree86 version of
this code, which I'm also committing there. Have there been any further
updates on this?
David
--
David Dawes
developer/release engineer The XFree86 Project
www.XFree86.org/~dawes
>
>I've not yet looked at the new SiS allocator problems in detail. The
>6326 really wants a different allocator anyway.
>
>Alan
>
>--- drivers/char/drm/r128_state.c~ 2004-01-14 13:42:38.000000000 +0000
>+++ drivers/char/drm/r128_state.c 2004-01-14 13:46:27.000000000 +0000
>@@ -23,8 +23,20 @@
> * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
> * DEALINGS IN THE SOFTWARE.
> *
>+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
>+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
>+ * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
>+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
>+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
>+ * DEALINGS IN THE SOFTWARE.
>+ *
>+ * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
>+ *
> * Authors:
> * Gareth Hughes <[EMAIL PROTECTED]>
>+ *
>+ * Memory allocation size checks added 14/01/2003, Alan Cox <[EMAIL PROTECTED]>
> */
>
> #include "r128.h"
>@@ -901,6 +913,9 @@
> DRM_DEBUG( "%s\n", __FUNCTION__ );
>
> count = depth->n;
>+
>+ if( count > 4096 )
>+ return -EMSGSIZE;
> if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
> return -EFAULT;
> }
>@@ -994,6 +1009,9 @@
> DRM_DEBUG( "%s\n", __FUNCTION__ );
>
> count = depth->n;
>+
>+ if( count > 4096 )
>+ return -EMSGSIZE;
>
> x = kmalloc( count * sizeof(*x), GFP_KERNEL );
> if ( x == NULL ) {
>@@ -1109,6 +1127,9 @@
> DRM_DEBUG( "%s\n", __FUNCTION__ );
>
> count = depth->n;
>+
>+ if ( count > 4096 )
>+ return -EMSGSIZE;
> if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
> return -EFAULT;
> }
Index: r128_state.c
===================================================================
RCS file:
/home/x-cvs/xc/programs/Xserver/hw/xfree86/os-support/shared/drm/kernel/r128_state.c,v
retrieving revision 1.5
diff -u -r1.5 r128_state.c
--- r128_state.c 2 Dec 2003 13:02:43 -0000 1.5
+++ r128_state.c 25 Jan 2004 02:55:20 -0000
@@ -23,8 +23,20 @@
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
+ *
* Authors:
* Gareth Hughes <[EMAIL PROTECTED]>
+ *
+ * Memory allocation size checks added 14/01/2003, Alan Cox <[EMAIL PROTECTED]>
*/
#include "r128.h"
@@ -915,6 +927,10 @@
DRM_DEBUG( "\n" );
count = depth->n;
+
+ if ( count > 4096 )
+ return DRM_ERR(EMSGSIZE);
+
if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
return DRM_ERR(EFAULT);
}
@@ -1009,6 +1025,9 @@
count = depth->n;
+ if ( count > 4096 )
+ return DRM_ERR(EMSGSIZE);
+
xbuf_size = count * sizeof(*x);
ybuf_size = count * sizeof(*y);
x = DRM_MALLOC( xbuf_size );
@@ -1125,6 +1144,10 @@
DRM_DEBUG( "\n" );
count = depth->n;
+
+ if ( count > 4096 )
+ return DRM_ERR(EMSGSIZE);
+
if ( DRM_COPY_FROM_USER( &x, depth->x, sizeof(x) ) ) {
return DRM_ERR(EFAULT);
}
