Revision a5cd335165e31db9dbab636fd29895d41da55dd2 authored by Xi Wang on 23 November 2011, 06:12:01 UTC, committed by Dave Airlie on 23 November 2011, 08:59:28 UTC
There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace passes in a large num_clips. The call to kmalloc would allocate a small buffer, and the call to fb->funcs->dirty may result in a memory corruption. Reported-by: Haogang Chen <haogangchen@gmail.com> Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: stable@kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>
1 parent c916874
| File | Mode | Size |
|---|---|---|
| aoa | ||
| arm | ||
| atmel | ||
| core | ||
| drivers | ||
| firewire | ||
| i2c | ||
| isa | ||
| mips | ||
| oss | ||
| parisc | ||
| pci | ||
| pcmcia | ||
| ppc | ||
| sh | ||
| soc | ||
| sparc | ||
| spi | ||
| synth | ||
| usb | ||
| Kconfig | -rw-r--r-- | 3.9 KB |
| Makefile | -rw-r--r-- | 539 bytes |
| ac97_bus.c | -rw-r--r-- | 1.6 KB |
| last.c | -rw-r--r-- | 1.3 KB |
| sound_core.c | -rw-r--r-- | 15.9 KB |
| sound_firmware.c | -rw-r--r-- | 1.7 KB |
Computing file changes ...
