mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-05 10:29:37 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/video/fbdev
History
Tomi Valkeinen 1bafcbf59f fbdev/omapfb: fix omapfb_memory_read infoleak 
OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:

- The user provided width and height could be large enough to overflow
  the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
  which might contain sensitive kernel information.

Fix these by limiting the width & height parameters, and only copying
the amount of data that we actually received from the LCD.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2018-09-26 18:11:22 +02:00
..
aty video: fbdev: aty: radeon_pm: Replace mdelay with msleep in radeonfb_pci_suspend 2018-04-24 18:11:21 +02:00
core fbcon: Do not takeover the console from atomic context 2018-08-10 17:23:02 +02:00
geode x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping 2018-02-15 01:15:52 +01:00
i810 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
intelfb video: fbdev: intelfb: deprecate pci_get_bus_and_slot() 2018-01-17 08:16:46 -06:00
kyro video: fbdev: kyro: constify pci_device_id. 2017-08-01 17:20:42 +02:00
matrox video: matroxfb: Delete an error message for a failed memory allocation in matroxfb_crtc2_probe() 2018-03-28 16:34:28 +02:00
mb862xx treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mbx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mmp fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
nvidia fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
omap fbdev: omapfb: off by one in omapfb_register_client() 2018-07-24 19:11:28 +02:00
omap2 fbdev/omapfb: fix omapfb_memory_read infoleak 2018-09-26 18:11:22 +02:00
riva treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
savage video: fbdev: savage: Replace mdelay with usleep_range in savage_init_hw 2018-04-24 18:11:21 +02:00
sis video: fbdev: sis: avoid mismatched prototypes 2018-03-12 17:06:52 +01:00
vermilion video: fbdev: vermilion: use 64-bit arithmetic instead of 32-bit 2018-03-12 17:06:54 +01:00
via video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
68328fb.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
acornfb.c drivers/video/fbdev: Fixing coding guidelines in acornfb.c 2017-04-07 17:03:24 +02:00
acornfb.h
amba-clcd-nomadik.c fbdev changes for v4.11: 2017-02-25 13:20:22 -08:00
amba-clcd-nomadik.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd-versatile.c video: ARM CLCD: use panel device node for panel initialization 2017-01-30 17:39:48 +01:00
amba-clcd-versatile.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd.c video: ARM CLCD: Improve a size determination in clcdfb_probe() 2018-03-28 16:34:29 +02:00
amifb.c fb: amifb: fix build warnings when not builtin 2018-07-31 13:06:58 +02:00
arcfb.c Annotate hardware config module parameters in drivers/video/ 2017-04-20 12:02:32 +01:00
arkfb.c video: fbdev: arkfb: constify pci_device_id. 2017-08-01 17:20:42 +02:00
asiliantfb.c video: fbdev: asiliantfb: constify pci_device_id. 2017-08-01 17:20:41 +02:00
atafb.c
atafb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel_lcdfb.c video: fbdev: atmel_lcdfb: convert to use GPIO descriptors 2018-03-12 17:06:52 +01:00
au1100fb.c fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
au1100fb.h
au1200fb.c video: fbdev: fix spelling mistake: "frambuffer" -> "framebuffer" 2018-05-15 12:41:11 +02:00
au1200fb.h fbdev: au1200fb: delete duplicate header contents 2018-01-04 16:53:49 +01:00
broadsheetfb.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bt431.h
bt455.h
bw2.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
c2p.h
c2p_core.h
c2p_iplan2.c
c2p_planar.c
carminefb.c
carminefb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
carminefb_regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cg3.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
cg6.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
cg14.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
chipsfb.c video/chips: constify fb_fix_screeninfo and fb_var_screeninfo structures 2017-08-01 17:20:39 +02:00
cirrusfb.c video: fbdev: cirrusfb: mark expected switch fall-throughs 2017-11-09 18:09:32 +01:00
clps711x-fb.c
clps711xfb.c
cobalt_lcdfb.c video: cobalt_lcdfb: constify fb_fix_screeninfo structure 2017-08-01 17:20:39 +02:00
controlfb.c
controlfb.h fbdev: controlfb: Add missing modes to fix out of bounds access 2017-11-09 18:09:33 +01:00
cyber2000fb.c video: fbdev: make fb_videomode const 2017-09-04 16:00:49 +02:00
cyber2000fb.h
da8xx-fb.c fbdev: da8xx-fb: Drop unnecessary static 2017-08-01 17:20:39 +02:00
dnfb.c video/fbdev/dnfb: Use common error handling code in dnfb_probe() 2017-11-09 18:09:31 +01:00
edid.h
efifb.c fbdev changes for v4.19: 2018-08-23 15:44:58 -07:00
ep93xx-fb.c
fb-puv3.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
ffb.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
fm2fb.c video: fm2fb: constify zorro_device_id 2017-09-04 16:00:49 +02:00
fsl-diu-fb.c video: fbdev: fsl-diu-fb: Remove VLA usage 2018-07-24 19:11:26 +02:00
g364fb.c
gbefb.c
goldfishfb.c video: goldfishfb: fix memory leak on driver remove 2018-07-24 19:11:27 +02:00
grvga.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
gxt4500.c
hecubafb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
hgafb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
hitfb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
hpfb.c hpfb: use probe_kernel_read() 2017-05-27 15:41:17 -04:00
hyperv_fb.c use the new async probing feature for the hyperv drivers 2018-07-03 13:02:28 +02:00
i740_reg.h
i740fb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
imsttfb.c video: fbdev: imsttfb: constify pci_device_id. 2017-08-01 17:20:43 +02:00
imxfb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
jz4740_fb.c fbdev: jz4740-fb: Let the pinctrl driver configure the pins 2017-05-22 17:22:06 +02:00
Kconfig video: fbdev: via: allow COMPILE_TEST build 2018-05-15 12:41:10 +02:00
leo.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
macfb.c nubus: Adopt standard linked list implementation 2018-01-16 16:47:29 +01:00
macmodes.c
macmodes.h
Makefile video: fbdev: remove unused sh_mobile_meram driver 2018-05-14 15:47:30 +02:00
maxinefb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
metronomefb.c video: fbdev: metronomefb: fix some off by one bugs 2018-07-24 19:11:26 +02:00
mx3fb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
mxsfb.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
n411.c Annotate hardware config module parameters in drivers/video/ 2017-04-20 12:02:32 +01:00
neofb.c video: fbdev: neofb: constify pci_device_id. 2017-08-01 17:20:44 +02:00
nuc900fb.c
nuc900fb.h
ocfb.c
offb.c video: offb: Deallocate the color map 2018-03-12 17:06:54 +01:00
p9100.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
platinumfb.c
platinumfb.h
pm2fb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
pm3fb.c video: fbdev: pm3fb: constify pci_device_id. 2017-08-01 17:20:45 +02:00
pmag-aa-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
pmag-ba-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
pmagb-b-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
ps3fb.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
pvr2fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
pxa3xx-gcu.c video: fbdev: pxa3xx_gcu: add devicetree bindings 2018-07-24 19:11:25 +02:00
pxa3xx-gcu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxa168fb.c pxa168fb: prepare the clock 2018-09-26 18:11:22 +02:00
pxa168fb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxafb.c video: fbdev: pxafb: Add support for lcd-supply regulator 2018-07-24 19:11:26 +02:00
pxafb.h video: fbdev: pxafb: Add support for lcd-supply regulator 2018-07-24 19:11:26 +02:00
q40fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
s1d13xxxfb.c fbdev: s1d13xxxfb: remove m32r specific hacks 2018-03-26 15:56:46 +02:00
s3c-fb.c video: fbdev: s3c-fb: remove dead platform code for Exynos and S5PV210 platforms 2018-03-28 16:34:29 +02:00
s3c2410fb.c video: s3c2410fb: Register cpufreq notifier only on S3C24xx 2016-08-11 17:54:55 +03:00
s3c2410fb.h video: s3c2410fb: Register cpufreq notifier only on S3C24xx 2016-08-11 17:54:55 +03:00
s3fb.c video: fbdev: s3fb: constify pci_device_id. 2017-08-01 17:20:45 +02:00
sa1100fb.c video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sa1100fb.h video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sbuslib.c fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 2018-03-07 14:00:34 +01:00
sbuslib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sh7760fb.c
sh_mobile_lcdcfb.c video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support 2018-05-14 15:47:30 +02:00
sh_mobile_lcdcfb.h video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support 2018-05-14 15:47:30 +02:00
simplefb.c video: fbdev: simplefb: Stop including <linux/clk-provider.h> 2018-07-03 17:43:09 +02:00
skeletonfb.c docs: fix broken references with multiple hints 2018-06-15 18:10:01 -03:00
sm501fb.c video: sm501fb: Improve a size determination in sm501fb_probe() 2018-04-26 12:24:18 +02:00
sm712.h
sm712fb.c video: fbdev: sm712fb.c: fixed constant-left comparison warning 2017-08-01 17:20:38 +02:00
smscufx.c video: smscufx: Delete an error message for a failed memory allocation in ufx_realloc_framebuffer() 2018-03-28 16:34:28 +02:00
ssd1307fb.c video: ssd1307fb: Improve a size determination in ssd1307fb_probe() 2018-03-28 16:34:28 +02:00
sstfb.c
sticore.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stifb.c fbdev changes for v4.17: 2018-04-10 10:20:00 -07:00
sunxvr500.c video: fbdev: sunxvr500: constify pci_device_id. 2017-08-01 17:20:43 +02:00
sunxvr1000.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
sunxvr2500.c video: fbdev: sunxvr2500: constify pci_device_id. 2017-08-01 17:20:41 +02:00
tcx.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
tdfxfb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
tgafb.c
tmiofb.c
tridentfb.c video: fbdev: tridentfb: remove deadcode on unreachable case statement 2018-07-24 19:11:28 +02:00
udlfb.c udlfb: use spin_lock_irq instead of spin_lock_irqsave 2018-07-25 15:41:57 +02:00
uvesafb.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
valkyriefb.c
valkyriefb.h
vesafb.c
vfb.c vfb: fix video mode and line_length being set when loaded 2018-01-04 16:53:50 +01:00
vga16fb.c video: fbdev: remove redundant self assignment of 'height' 2017-12-29 19:48:43 +01:00
vt8500lcdfb.c video/fbdev/vt8500lcdfb: Delete an error message for a failed memory allocation in vt8500lcd_probe() 2017-12-29 19:48:44 +01:00
vt8500lcdfb.h
vt8623fb.c video: fbdev: vt8623fb: constify vt8623_timing_regs 2017-08-18 19:56:40 +02:00
w100fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
w100fb.h
wm8505fb.c video/fbdev/wm8505fb: Delete an error message for a failed memory allocation in wm8505fb_probe() 2017-12-29 19:48:43 +01:00
wm8505fb_regs.h
wmt_ge_rops.c
wmt_ge_rops.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xen-fbfront.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
xilinxfb.c video: fbdev: Fix multiple style issues in xilinxfb 2017-08-21 16:49:57 +02:00