x11/nvidia-driver/files/security-patch-CVE-2012-0946


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

--- src/nv.h.orig	2011-07-14 02:51:53.000000000 +0800
+++ src/nv.h	2012-05-10 18:15:51.000000000 +0800
@@ -364,6 +364,27 @@
              ((offset) >= (nv)->agp.address) &&                                \
              (((offset) + ((length)-1)) <= (nv)->agp.address + ((nv)->agp.size-1)))
 
+#define IS_REG_RANGE_WITHIN_MAPPING(nv, roffset, rlength, moffset, mlength)    \
+             (((moffset) <= ((nv)->regs->address + ((roffset) + (rlength)-1))) &&\
+             (((moffset) + (mlength)-1) >= ((nv)->regs->address + (roffset))))
+
+#define IS_BLACKLISTED_REG_OFFSET(nv, offset, length)                          \
+             ((IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x84000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x85000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x86000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x87000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x89000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0xa0000, 0x20000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x104000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x105000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x10a000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1c2000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1c3000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x618000, 0x2000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x627000, 0x1000, offset, length)) ||\
+              (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x700000, 0x100000, offset, length)))
+
 /* duplicated from nvos.h for external builds */
 #ifndef NVOS_AGP_CONFIG_DISABLE_AGP
 #  define NVOS_AGP_CONFIG_DISABLE_AGP (0x00000000)
--- src/nvidia_subr.c.orig	2012-05-10 18:09:01.000000000 +0800
+++ src/nvidia_subr.c	2012-05-10 18:13:41.000000000 +0800
@@ -1464,6 +1464,8 @@
     }
 
     if (IS_REG_OFFSET(nv, offset, PAGE_SIZE)) {
+        if (IS_BLACKLISTED_REG_OFFSET(nv, offset, PAGE_SIZE))
+             return -1;
         *physical = offset;
         return 0;
     }