1. 21 4月, 2011 1 次提交
    • V
      agp: fix OOM and buffer overflow · b522f021
      Vasiliy Kulikov 提交于
      page_count is copied from userspace.  agp_allocate_memory() tries to
      check whether this number is too big, but doesn't take into account the
      wrap case.  Also agp_create_user_memory() doesn't check whether
      alloc_size is calculated from num_agp_pages variable without overflow.
      This may lead to allocation of too small buffer with following buffer
      overflow.
      
      Another problem in agp code is not addressed in the patch - kernel memory
      exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
      whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
      Each allocation is limited to 16KB, though, there is no per-process limit.
      This might lead to OOM situation, which is not even solved in case of the
      caller death by OOM killer - the memory is allocated for another (faked) process.
      Signed-off-by: NVasiliy Kulikov <segoon@openwall.com>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      b522f021
  2. 20 4月, 2011 8 次提交
  3. 15 4月, 2011 3 次提交
  4. 13 4月, 2011 8 次提交
  5. 09 4月, 2011 5 次提交
  6. 08 4月, 2011 2 次提交
  7. 07 4月, 2011 13 次提交