Revision - a5cd335 - drm: integer overflow in drm_mode_dirtyfb_ioctl()

Revision a5cd335165e31db9dbab636fd29895d41da55dd2 authored by Xi Wang on 23 November 2011, 06:12:01 UTC, committed by Dave Airlie on 23 November 2011, 08:59:28 UTC

drm: integer overflow in drm_mode_dirtyfb_ioctl()

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

1 parent c916874

Files
Changes

Permalinks

File	Mode	Size
Makefile	-rw-r--r--	191 bytes
us122l.c	-rw-r--r--	19.1 KB
us122l.h	-rw-r--r--	540 bytes
usX2Yhwdep.c	-rw-r--r--	7.3 KB
usX2Yhwdep.h	-rw-r--r--	122 bytes
usb_stream.c	-rw-r--r--	19.1 KB
usb_stream.h	-rw-r--r--	2.6 KB
usbus428ctldefs.h	-rw-r--r--	2.1 KB
usbusx2y.c	-rw-r--r--	13.4 KB
usbusx2y.h	-rw-r--r--	2.0 KB
usbusx2yaudio.c	-rw-r--r--	29.1 KB
usx2y.h	-rw-r--r--	1.5 KB
usx2yhwdeppcm.c	-rw-r--r--	24.5 KB
usx2yhwdeppcm.h	-rw-r--r--	507 bytes

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...