Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 61aff74833b86c735ee901c1038f0cbfcd606ae7
commit61aff74833b86c735ee901c1038f0cbfcd606ae7[log] [tgz]
authorXi Wang <xi.wang@gmail.com>Wed Nov 23 01:12:01 2011 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>Fri Dec 09 08:52:20 2011 -0800
tree9c05d7c1ca3eaba38dc2264b2181fa07767a62b3
parente84ce11bd0183328e00accb611893b9a819dc0ba [diff]
drm: integer overflow in drm_mode_dirtyfb_ioctl()

commit a5cd335165e31db9dbab636fd29895d41da55dd2 upstream.

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2 files changed
tree: 9c05d7c1ca3eaba38dc2264b2181fa07767a62b3
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS