Fix 5 security bugs found by the Stanford tools

2026-05-05 06:38:03 +02:00 · 2001-06-18 19:25:15 +00:00 · 2001-06-18 19:25:15 +00:00 · 12e9c636df
commit 12e9c636df
parent b1a588f0cc
3 changed files with 10 additions and 2 deletions
--- a/linux-core/i810_dma.c
+++ b/linux-core/i810_dma.c
@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
 		  vertex.idx, vertex.used, vertex.discard);

+	if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
 	i810_dma_dispatch_vertex( dev,
 				  dma->buflist[ vertex.idx ],
 				  vertex.discard, vertex.used );
@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
   	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
 		return -EFAULT;

-	if(d.idx > dma->buf_count) return -EINVAL;
+        if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
 	buf = dma->buflist[ d.idx ];
   	buf_priv = buf->dev_private;
 	if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
--- a/linux/i810_dma.c
+++ b/linux/i810_dma.c
@ -1094,6 +1094,8 @@ int i810_dma_vertex(struct inode *inode, struct file *filp,
 	DRM_DEBUG("i810 dma vertex, idx %d used %d discard %d\n",
 		  vertex.idx, vertex.used, vertex.discard);

+	if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
+
 	i810_dma_dispatch_vertex( dev,
 				  dma->buflist[ vertex.idx ],
 				  vertex.discard, vertex.used );
@ -1222,7 +1224,7 @@ int i810_copybuf(struct inode *inode, struct file *filp, unsigned int cmd,
   	if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
 		return -EFAULT;

-	if(d.idx > dma->buf_count) return -EINVAL;
+        if(d.idx < 0 || d.idx > dma->buf_count) return -EINVAL;
 	buf = dma->buflist[ d.idx ];
   	buf_priv = buf->dev_private;
 	if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;
--- a/linux/mga_state.c
+++ b/linux/mga_state.c
@ -943,6 +943,7 @@ int mga_dma_vertex( struct inode *inode, struct file *filp,
 			     sizeof(vertex) ) )
 		return -EFAULT;

+        if(vertex.idx < 0 || vertex.idx > dma->buf_count) return -EINVAL;
 	buf = dma->buflist[vertex.idx];
 	buf_priv = buf->dev_private;

@ -984,6 +985,8 @@ int mga_dma_indices( struct inode *inode, struct file *filp,
 			     sizeof(indices) ) )
 		return -EFAULT;

+        if(indices.idx < 0 || indices.idx > dma->buf_count) return -EINVAL;
+
 	buf = dma->buflist[indices.idx];
 	buf_priv = buf->dev_private;

@ -1030,6 +1033,7 @@ int mga_dma_iload( struct inode *inode, struct file *filp,
 		return -EBUSY;
 	}
 #endif
+        if(iload.idx < 0 || iload.idx > dma->buf_count) return -EINVAL;

 	buf = dma->buflist[iload.idx];
 	buf_priv = buf->dev_private;