linux/drivers/video/fbdev
Kees Cook 2dc705a993 fbdev: color map copying bounds checking
Copying color maps to userspace doesn't check the value of to->start,
which will cause kernel heap buffer OOB read due to signedness wraps.

CVE-2016-8405

Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Peter Pi (@heisecode) of Trend Micro
Cc: Min Chong <mchong@google.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-24 16:26:14 -08:00
..
aty video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
core fbdev: color map copying bounds checking 2017-01-24 16:26:14 -08:00
geode video: constify geode ops structures 2015-12-15 15:41:22 +02:00
i810 video: fbdev: i810: add in missing white space in error message text 2016-09-27 11:08:15 +03:00
intelfb video: fbdev: intelfb: remove impossible condition 2016-09-07 11:16:05 +03:00
kyro video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
matrox matroxfb: fix size of memcpy 2016-09-27 11:43:24 +03:00
mb862xx video: fbdev: mb862xx: remove unused variable 2016-08-30 12:00:15 +03:00
mbx
mmp fbdev: mmp: print IRQ resource using %pR format string 2016-01-29 13:42:58 +02:00
nvidia video: fbdev: nvidia: use arch_phys_wc_add() and ioremap_wc() 2015-06-03 12:41:50 +03:00
omap fbdev: Remove deprecated create_singlethread_workqueue 2016-08-11 17:54:56 +03:00
omap2 omapfb: fix return value check in dsi_bind() 2016-09-27 11:04:05 +03:00
riva video: fbdev: rivafb: unlock chip before probiding EDID 2015-12-15 15:41:23 +02:00
savage video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
sis video: fbdev: sis: remove unused variable 2016-03-03 13:38:29 +02:00
vermilion mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd 2015-11-06 17:50:42 -08:00
via fbdev: Use IS_ENABLED() instead of checking for built-in or module 2016-05-13 15:14:38 +03:00
68328fb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
acornfb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
acornfb.h
amba-clcd-nomadik.c video: ARM CLCD: export symbols for driver module 2016-08-30 11:54:23 +03:00
amba-clcd-nomadik.h video: ARM CLCD: add special board and panel hooks for Nomadik 2016-08-11 17:54:54 +03:00
amba-clcd-versatile.c video: ARM CLCD: fix Vexpress regression 2016-11-03 12:20:14 +02:00
amba-clcd-versatile.h video: ARM CLCD: add special panel hook for Versatiles 2016-08-11 17:54:54 +03:00
amba-clcd.c video: ARM CLCD: fix endpoint lookup logic 2016-08-30 11:31:22 +03:00
amifb.c fbdev changes for 4.2 2015-06-23 16:23:30 -07:00
arcfb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
arkfb.c drivers/video/fbdev/arkfb.c: Use arch_phys_wc_add() and pci_iomap_wc() 2015-08-25 09:59:45 +02:00
asiliantfb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
atafb_iplan2p2.c
atafb_iplan2p4.c
atafb_iplan2p8.c
atafb_mfb.c
atafb_utils.h
atafb.c fbdev: kill fb_rotate 2016-02-26 13:28:35 +02:00
atafb.h
atmel_lcdfb.c This is the bulk of GPIO changes for kernel v4.6: 2016-03-17 21:05:32 -07:00
au1100fb.c fbdev: kill fb_rotate 2016-02-26 13:28:35 +02:00
au1100fb.h
au1200fb.c mips: separate extable.h, switch module.h to it 2016-10-05 18:36:18 -04:00
au1200fb.h
auo_k190x.c fbdev: auo_k190x: avoid unused function warnings 2015-12-15 15:41:23 +02:00
auo_k190x.h
auo_k1900fb.c
auo_k1901fb.c
bf54x-lq043fb.c
bf537-lq035.c fbdev: kill fb_rotate 2016-02-26 13:28:35 +02:00
bfin_adv7393fb.c fb: adv7393: off by one in probe function 2016-08-30 12:06:12 +03:00
bfin_adv7393fb.h fbdev/bfin_adv7393fb: move DRIVER_NAME before its first use 2016-08-02 19:35:05 -04:00
bfin-lq035q1-fb.c
bfin-t350mcqb-fb.c
broadsheetfb.c fbdev: broadsheetfb: fix memory leak 2015-09-30 10:33:57 +03:00
bt431.h video: fbdev: bt431: Correct cursor format control macro 2016-02-26 13:06:11 +02:00
bt455.h video: fbdev: pmag-ba-fb: Optimize Bt455 colormap addressing 2016-02-26 13:06:11 +02:00
bw2.c
c2p_core.h
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h
carminefb.c
carminefb.h
cg3.c
cg6.c
cg14.c
chipsfb.c
cirrusfb.c
clps711x-fb.c video: clps711x-fb: Changing the compatibility string to match with the smallest supported chip 2016-07-06 17:38:19 +02:00
clps711xfb.c
cobalt_lcdfb.c video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap 2017-01-04 12:58:45 +01:00
controlfb.c powerpc: Move Power Macintosh drivers to generic byteswappers 2015-03-23 14:29:40 +11:00
controlfb.h
cyber2000fb.c
cyber2000fb.h
da8xx-fb.c remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
dnfb.c
edid.h
efifb.c efifb: Show framebuffer layout as device attributes 2016-10-18 17:11:19 +02:00
ep93xx-fb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
fb-puv3.c
ffb.c
fm2fb.c
fsl-diu-fb.c video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented 2015-12-09 12:57:06 +02:00
g364fb.c
gbefb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
goldfishfb.c
grvga.c
gxt4500.c gxt4500: enable panning 2015-10-08 12:19:39 +03:00
hecubafb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
hgafb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
hitfb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
hpfb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
hyperv_fb.c drivers:hv: Use new vmbus_mmio_free() from client drivers. 2016-04-30 14:01:37 -07:00
i740_reg.h
i740fb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
igafb.c
imsttfb.c PCI: Remove includes of asm/pci-bridge.h 2016-02-05 16:29:28 -06:00
imxfb.c video: fbdev: imxfb: add some error handling 2016-05-10 11:42:25 +03:00
jz4740_fb.c
Kconfig Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-10-15 09:26:12 -07:00
leo.c
macfb.c
macmodes.c
macmodes.h
Makefile video: fbdev: exynos: Remove old non-working MIPI driver 2016-09-27 11:05:29 +03:00
maxinefb.c
metronomefb.c video: fbdev: metronomefb: two harmless off by one bugs 2016-02-16 14:52:43 +02:00
mx3fb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
mxsfb.c video: mxsfb: Fix framebuffer corruption on mx6sx 2016-08-30 11:59:33 +03:00
n411.c fbdev: n411: check return value 2016-02-26 12:16:58 +02:00
neofb.c video: fbdev: neofb: use arch_phys_wc_add() and ioremap_wc() 2015-06-03 12:41:49 +03:00
nuc900fb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
nuc900fb.h
ocfb.c ocfb: fix tgdel and tvdel timing parameters 2016-01-29 13:34:07 +02:00
offb.c video: fbdev: offb: Call pci_enable_device() before using the PCI VGA device 2016-09-27 10:55:02 +03:00
p9100.c
platinumfb.c powerpc: Move Power Macintosh drivers to generic byteswappers 2015-03-23 14:29:40 +11:00
platinumfb.h
pm2fb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
pm3fb.c video: fbdev: pm3fb: use arch_phys_wc_add() and ioremap_wc() 2015-06-03 12:41:52 +03:00
pmag-aa-fb.c video: fbdev: pmag-ba-fb: Optimize Bt455 colormap addressing 2016-02-26 13:06:11 +02:00
pmag-ba-fb.c video: fbdev: pmag-ba-fb: Fix the lower margin size 2016-02-26 13:02:58 +02:00
pmagb-b-fb.c
ps3fb.c
pvr2fb.c mm: replace get_user_pages_unlocked() write/force parameters with gup_flags 2016-10-18 14:13:37 -07:00
pxa3xx-gcu.c video: fbdev: pxa3xx_gcu: prepare the clocks 2015-08-10 12:25:43 +03:00
pxa3xx-gcu.h
pxa168fb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
pxa168fb.h
pxafb.c video: fbdev: pxafb: add missing of_node_put() in of_get_pxafb_mode_info() 2016-08-30 12:04:16 +03:00
pxafb.h video: fbdev: pxafb: loosen the platform data bond 2015-12-15 15:41:24 +02:00
q40fb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
s1d13xxxfb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
s3c2410fb.c video: s3c2410fb: Register cpufreq notifier only on S3C24xx 2016-08-11 17:54:55 +03:00
s3c2410fb.h video: s3c2410fb: Register cpufreq notifier only on S3C24xx 2016-08-11 17:54:55 +03:00
s3c-fb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
s3fb.c drivers/video/fbdev/s3fb: Use arch_phys_wc_add() and pci_iomap_wc() 2015-08-25 09:59:45 +02:00
sa1100fb.c dma, mm/pat: Rename dma_*_writecombine() to dma_*_wc() 2016-03-09 14:57:51 +01:00
sa1100fb.h ARM: 8244/1: fbdev: sa1100fb: make use of device clock 2014-12-05 16:30:25 +00:00
sbuslib.c
sbuslib.h
sh7760fb.c
sh_mobile_lcdcfb.c fbdev: sh_mobile_lcdc: Fix destruction of uninitialized mutex 2015-04-07 16:24:15 +03:00
sh_mobile_lcdcfb.h
sh_mobile_meram.c More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
simplefb.c simplefb: Disable and release clocks and regulators in destroy callback 2016-09-27 11:21:36 +03:00
skeletonfb.c docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
sm501fb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
sm712.h staging: sm7xxfb: merge sm712fb with fbdev 2015-08-07 15:05:01 -07:00
sm712fb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
smscufx.c video: smscufx: remove unused variable 2016-09-27 11:47:37 +03:00
ssd1307fb.c fbdev: ssd1307fb: fix a possible NULL dereference 2016-09-27 11:41:30 +03:00
sstfb.c
sticore.h
stifb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
sunxvr500.c drivers/video: make fbdev/sunxvr500.c explicitly non-modular 2016-03-03 13:36:51 +02:00
sunxvr1000.c drivers/video: make fbdev/sunxvr1000.c explicitly non-modular 2016-03-03 13:36:51 +02:00
sunxvr2500.c drivers/video: make fbdev/sunxvr2500.c explicitly non-modular 2016-03-03 13:36:51 +02:00
tcx.c
tdfxfb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
tgafb.c
tmiofb.c
tridentfb.c fbdev changes for 4.4 2015-11-10 10:00:09 -08:00
udlfb.c fbdev: udlfb: remove unneeded initialization in few places 2015-08-20 10:32:40 +03:00
uvesafb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
valkyriefb.c
valkyriefb.h
vesafb.c video: fbdev: vesafb: use arch_phys_wc_add() 2015-06-16 09:42:11 +03:00
vfb.c fbdev: vfb: simplify memory management 2016-09-07 12:06:53 +03:00
vga16fb.c video: fbdev: constify fb_fix_screeninfo and fb_var_screeninfo structures 2016-09-27 11:16:35 +03:00
vt8500lcdfb.c video: vt8500lcdfb: remove unneeded continue 2015-01-13 13:35:04 +02:00
vt8500lcdfb.h
vt8623fb.c drivers/video/fbdev/vt8623fb: Use arch_phys_wc_add() and pci_iomap_wc() 2015-08-25 09:59:45 +02:00
w100fb.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
w100fb.h
wm8505fb_regs.h
wm8505fb.c
wmt_ge_rops.c
wmt_ge_rops.h
xen-fbfront.c xen: make use of xenbus_read_unsigned() in xen-fbfront 2016-11-07 13:55:32 +01:00
xilinxfb.c