kevin/linux
1
Fork 0
Code
12f735b79f
linux/drivers/gpu/drm
History
Luca Barbieri 12f735b79f drm/nouveau: check pushbuffer bounds in ioctl 
Currently there is no check that the pushbuffer request bounds are inside
the TTM BO.

This allows to instruct the kernel to do relocations on user-selected
addresses, since the relocation bounds checking relies on the request
bounds.

This can oops the kernel accidentally and is easily exploitable.

This patch adds bound checking and alignment checking for ->offset and
->nr_dwords.

It also makes some variables unsigned, which should have no effect,
but prevents possible bounds checking problems.

Signed-off-by: Luca Barbieri <luca@luca-barbieri.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2010-01-15 09:56:50 +10:00
..
i2c drm/i2c/ch7006: Fix load detection false positives right after system init. 2009-12-16 17:04:45 +10:00
i810 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
i830 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
i915 drm: remove address mask param for drm_pci_alloc() 2010-01-07 13:15:50 +10:00
mga drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
nouveau drm/nouveau: check pushbuffer bounds in ioctl 2010-01-15 09:56:50 +10:00
r128 drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
radeon drm/radeon/kms: Don't try to enable IRQ if we have no handler installed 2010-01-08 13:12:20 +10:00
savage drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
sis drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
tdfx drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
ttm drm/ttm: Fix memory type manager debug information printing 2009-12-16 15:36:26 +10:00
via drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
vmwgfx drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles. 2009-12-23 10:06:24 +10:00
ati_pcigart.c drm: remove address mask param for drm_pci_alloc() 2010-01-07 13:15:50 +10:00
drm_agpsupport.c
drm_auth.c
drm_bufs.c drm: remove address mask param for drm_pci_alloc() 2010-01-07 13:15:50 +10:00
drm_cache.c
drm_context.c
drm_crtc_helper.c drm: Keep disabled outputs disabled after suspend / resume 2010-01-08 13:17:22 +10:00
drm_crtc.c drm: Add eDP connector type 2010-01-08 13:04:04 +10:00
drm_debugfs.c
drm_dma.c
drm_dp_i2c_helper.c Merge remote branch 'anholt/drm-intel-next' into drm-linus 2009-12-08 14:03:47 +10:00
drm_drawable.c
drm_drv.c drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
drm_edid.c drm/edid: Fix CVT width/height decode 2010-01-07 13:18:04 +10:00
drm_encoder_slave.c
drm_fb_helper.c drm/kms/fb: check for depth changes from userspace for resizing. 2010-01-08 13:18:19 +10:00
drm_fops.c drm: Add support for drm master_[set|drop] callbacks. 2009-12-04 08:55:46 +10:00
drm_gem.c drm: make sure page protections are updated after changing vm_flags 2009-11-24 13:02:30 +10:00
drm_hashtab.c
drm_info.c
drm_ioc32.c drm: convert drm_ioctl to unlocked_ioctl 2009-12-18 11:22:31 +10:00
drm_ioctl.c
drm_irq.c drm: Avoid calling vblank function is vblank wasn't initialized 2010-01-08 13:12:09 +10:00
drm_lock.c
drm_memory.c
drm_mm.c drm/mm: fix logic for selection of best fit block 2009-12-23 10:08:08 +10:00
drm_modes.c drm/modes: Add drm_mode_hsync() 2009-12-04 08:53:22 +10:00
drm_pci.c drm: remove address mask param for drm_pci_alloc() 2010-01-07 13:15:50 +10:00
drm_proc.c
drm_scatter.c
drm_sman.c
drm_stub.c drm: Export symbols needed for the vmwgfx driver. 2009-12-07 15:22:08 +10:00
drm_sysfs.c Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 2009-09-21 08:10:09 -07:00
drm_vm.c const: mark struct vm_struct_operations 2009-09-27 11:39:25 -07:00
Kconfig drm/i915: Select CONFIG_SHMEM 2009-11-25 12:27:42 -08:00
Makefile Merge remote branch 'korg/drm-vmware-staging' into drm-core-next 2009-12-18 09:53:50 +10:00
README.drm

README.drm 

************************************************************
* For the very latest on DRI development, please see:      *
*     http://dri.freedesktop.org/                          *
************************************************************

The Direct Rendering Manager (drm) is a device-independent kernel-level
device driver that provides support for the XFree86 Direct Rendering
Infrastructure (DRI).

The DRM supports the Direct Rendering Infrastructure (DRI) in four major
ways:

    1. The DRM provides synchronized access to the graphics hardware via
       the use of an optimized two-tiered lock.

    2. The DRM enforces the DRI security policy for access to the graphics
       hardware by only allowing authenticated X11 clients access to
       restricted regions of memory.

    3. The DRM provides a generic DMA engine, complete with multiple
       queues and the ability to detect the need for an OpenGL context
       switch.

    4. The DRM is extensible via the use of small device-specific modules
       that rely extensively on the API exported by the DRM module.


Documentation on the DRI is available from:
    http://dri.freedesktop.org/wiki/Documentation
    http://sourceforge.net/project/showfiles.php?group_id=387
    http://dri.sourceforge.net/doc/

For specific information about kernel-level support, see:

    The Direct Rendering Manager, Kernel Support for the Direct Rendering
    Infrastructure
    http://dri.sourceforge.net/doc/drm_low_level.html

    Hardware Locking for the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/hardware_locking_low_level.html

    A Security Analysis of the Direct Rendering Infrastructure
    http://dri.sourceforge.net/doc/security_low_level.html