Google Git
Sign in
kernel / pub / scm / linux / kernel / git / djbw / isci / a5cd335165e31db9dbab636fd29895d41da55dd2
commita5cd335165e31db9dbab636fd29895d41da55dd2[log] [tgz]
authorXi Wang <xi.wang@gmail.com>Wed Nov 23 01:12:01 2011 -0500
committerDave Airlie <airlied@redhat.com>Wed Nov 23 08:59:28 2011 +0000
tree4d01d5801047b466c44c40231773e66a9dfb704d
parentc916874d60d9daf2e2d5f4f622b185ef57deb6a4 [diff]
drm: integer overflow in drm_mode_dirtyfb_ioctl()

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2 files changed
tree: 4d01d5801047b466c44c40231773e66a9dfb704d
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS