Xi Wang 61aff74833 drm: integer overflow in drm_mode_dirtyfb_ioctl() ...

commit a5cd335165 upstream.

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

2011-12-09 08:52:20 -08:00

..

acpi

Merge branches 'd3cold', 'bugzilla-37412' and 'bugzilla-38152' into release

2011-07-14 00:16:38 -04:00

asm-generic

Merge branches 'gpio/merge' and 'spi/merge' of git://git.secretlab.ca/git/linux-2.6

2011-06-17 10:36:32 -07:00

crypto

…

drm

drm: integer overflow in drm_mode_dirtyfb_ioctl()

2011-12-09 08:52:20 -08:00

keys

…

linux

nfs: when attempting to open a directory, fall back on normal lookup (try #5)

2011-11-26 09:09:59 -08:00

math-emu

…

media

[media] tuner-core/v4l2-subdev: document that the type field has to be filled in

2011-07-07 15:04:23 -03:00

mtd

…

net

net: Handle different key sizes between address families in flow cache

2011-11-11 09:37:17 -08:00

pcmcia

…

rdma

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband

2011-05-26 12:13:57 -07:00

rxrpc

…

scsi

[SCSI] libsas: Add option for SATA soft reset

2011-05-26 22:49:33 -05:00

sound

ALSA: sb16 - Fix build errors on MIPS and others with 13bit ioctl size

2011-06-30 15:33:57 +02:00

target

[SCSI] target: Convert REPORT_LUNs to use int_to_scsilun

2011-05-24 13:02:42 -04:00

trace

Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4

2011-06-21 10:22:35 -07:00

video

Merge branches 'common/fbdev' and 'common/fbdev-meram' of master.kernel.org:/pub/scm/linux/kernel/git/lethal/sh-2.6

2011-05-24 15:49:57 +09:00

xen

xen: allow enable use of VGA console on dom0

2011-08-15 18:31:34 -07:00

Kbuild

…