Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 44afb3a04391a74309d16180d1e4f8386fdfa745
commit44afb3a04391a74309d16180d1e4f8386fdfa745[log] [tgz]
authorXi Wang <xi.wang@gmail.com>Mon Apr 23 04:06:42 2012 -0400
committerDaniel Vetter <daniel.vetter@ffwll.ch>Mon Apr 23 22:32:15 2012 +0200
treefeec2dbbdc8a76932bd10289a3532a4b29c6ef6a
parented8cd3b2cd61004cab85380c52b1817aca1ca49b [diff]
drm/i915: fix integer overflow in i915_gem_do_execbuffer()

On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.

This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
1 file changed
tree: feec2dbbdc8a76932bd10289a3532a4b29c6ef6a
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS