Google Git
Sign in
kernel / pub / scm / linux / kernel / git / smb / linux-2.6.32.y-drm33.z / f750d9ae0a36f1d978de2cff602c017c3b58974f
commitf750d9ae0a36f1d978de2cff602c017c3b58974f[log] [tgz]
authorXi Wang <xi.wang@gmail.com>Wed Nov 23 01:12:01 2011 -0500
committerStefan Bader <stefan.bader@canonical.com>Mon Aug 06 18:56:33 2012 +0200
treefb9a62c09ed85db95c7492e76ddf1897c4791aeb
parent05b45f464114f5468df2d3bd083915413adea40e [diff]
drm: integer overflow in drm_mode_dirtyfb_ioctl()

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

CVE-2012-0044
(cherry-picked from commit a5cd335165e31db9dbab636fd29895d41da55dd2 upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
2 files changed
tree: fb9a62c09ed85db95c7492e76ddf1897c4791aeb
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. MAINTAINERS
  28. Makefile
  29. README
  30. REPORTING-BUGS