Revision - a5cd335 - drm: integer overflow in drm_mode_dirtyfb_ioctl()

Revision a5cd335165e31db9dbab636fd29895d41da55dd2 authored by Xi Wang on 23 November 2011, 06:12:01 UTC, committed by Dave Airlie on 23 November 2011, 08:59:28 UTC

drm: integer overflow in drm_mode_dirtyfb_ioctl()

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

1 parent c916874

Files
Changes

Permalinks

Makefile

snd-usb-usx2y-objs := usbusx2y.o usX2Yhwdep.o usx2yhwdeppcm.o
snd-usb-us122l-objs := us122l.o

obj-$(CONFIG_SND_USB_USX2Y) += snd-usb-usx2y.o
obj-$(CONFIG_SND_USB_US122L) += snd-usb-us122l.o

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...