From: Vladis Dronov
commit: ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf upstream
The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
a user-controlled 'uint32_t' value which is used as a loop count limit.
This can lead to a kernel lockup and DoS. Add check for
From: Seunghun Han
commit 3b2d69114fefa474fca542e51119036dceb4aa6f upstream
ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6
I found some ACPI operand cache leaks in ACPI early abort cases.
Boot log of ACPI operand cache leak is as follows:
>[0.174332] ACPI:
From: Willy Tarreau
commit 3e21f4af170bebf47c187c1ff8bf155583c9f3b1 upstream
The lp_setup() code doesn't apply any bounds checking when passing
"lp=none", and only in this case, resulting in an overflow of the
parport_nr[] array. All versions in Git history are affected.
This series of patches are for CVE, including CVE-2017-8890,
CVE-2017-1000363,CVE-2017-11472,CVE-2017-7346
Eric Dumazet (1):
dccp/tcp: do not inherit mc_list from parent
Seunghun Han (1):
ACPICA: Namespace: fix operand cache leak
Vladis Dronov (1):
drm/vmwgfx: limit the number of mip
From: Eric Dumazet
commit 657831ffc38e30092a2d5f03d385d710eb88b09a upstream
syzkaller found a way to trigger double frees from ip_mc_drop_socket()
It turns out that leave a copy of parent mc_list at accept() time,
which is very bad.
Very similar to commit 8b485ce69876