radeon: Add some sanity checks to obj info record parsing (Closes: #618847)
svn path=/dists/sid/linux-2.6/; revision=17122
This commit is contained in:
Ben Hutchings
parent
af7aeb0faf
commit
b075265258
|
|
@ -15,6 +15,8 @@ linux-2.6 (2.6.38-2) UNRELEASED; urgency=low
|
|||
- RDMA/cma: Fix crash in request handlers (CVE-2011-0695)
|
||||
For the complete list of changes, see:
|
||||
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.1
|
||||
* radeon: Add some sanity checks to obj info record parsing, thanks
|
||||
to John Lindgren (Closes: #618847)
|
||||
|
||||
[ Jurij Smakov ]
|
||||
* Bump CONFIG_NR_CPUS on sparc to 256 to accomodate T2+ machines
|
||||
|
|
|
|||
44
debian/patches/bugfix/all/radeon-add-sanity-checks-to-obj-info-record-parsing.patch
vendored
Normal file
44
debian/patches/bugfix/all/radeon-add-sanity-checks-to-obj-info-record-parsing.patch
vendored
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
From: John Lindgren <john.lindgren@tds.net>
|
||||
Subject: [PATCH] drm/radeon/kms: add some sanity checks to obj info record parsing
|
||||
|
||||
Fixes:
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=35502
|
||||
|
||||
diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
|
||||
index 02d5c41..99768d9 100644
|
||||
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
|
||||
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
|
||||
@@ -675,7 +675,8 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
|
||||
ATOM_ENCODER_CAP_RECORD *cap_record;
|
||||
u16 caps = 0;
|
||||
|
||||
- while (record->ucRecordType > 0 &&
|
||||
+ while (record->ucRecordSize > 0 &&
|
||||
+ record->ucRecordType > 0 &&
|
||||
record->ucRecordType <= ATOM_MAX_OBJECT_RECORD_NUMBER) {
|
||||
switch (record->ucRecordType) {
|
||||
case ATOM_ENCODER_CAP_RECORD_TYPE:
|
||||
@@ -720,7 +721,8 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
|
||||
break;
|
||||
}
|
||||
|
||||
- while (record->ucRecordType > 0 &&
|
||||
+ while (record->ucRecordSize > 0 &&
|
||||
+ record->ucRecordType > 0 &&
|
||||
record->ucRecordType <= ATOM_MAX_OBJECT_RECORD_NUMBER) {
|
||||
switch (record->ucRecordType) {
|
||||
case ATOM_I2C_RECORD_TYPE:
|
||||
@@ -782,10 +784,9 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
|
||||
ATOM_HPD_INT_RECORD *hpd_record;
|
||||
ATOM_I2C_ID_CONFIG_ACCESS *i2c_config;
|
||||
|
||||
- while (record->ucRecordType > 0
|
||||
- && record->
|
||||
- ucRecordType <=
|
||||
- ATOM_MAX_OBJECT_RECORD_NUMBER) {
|
||||
+ while (record->ucRecordSize > 0 &&
|
||||
+ record->ucRecordType > 0 &&
|
||||
+ record->ucRecordType <= ATOM_MAX_OBJECT_RECORD_NUMBER) {
|
||||
switch (record->ucRecordType) {
|
||||
case ATOM_I2C_RECORD_TYPE:
|
||||
i2c_record =
|
||||
|
|
@ -2,3 +2,4 @@
|
|||
+ bugfix/all/rt2800-disable-powersaving-as-default.patch
|
||||
- bugfix/x86/Correct-a-typo-in-xen_do_hypervisor_callback-label.patch
|
||||
+ bugfix/all/stable/2.6.38.1.patch
|
||||
+ bugfix/all/radeon-add-sanity-checks-to-obj-info-record-parsing.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue