[CVE-2012-0044] drm clip overflow
Andy Whitcroft
apw at canonical.com
Wed Jan 18 12:54:13 UTC 2012
CVE-2012-0044
There is a potential integer overflow in
drm_mode_dirtyfb_ioctl() if userspace passes in a large
num_clips. The call to kmalloc would allocate a small
buffer, and the call to fb->funcs->dirty may result in a
memory corruption.
This problem was introduced in maverick, and fixes for it have hit
oneiric and later via mainline and stable. Following this email is a
patch for maverick, maverick/ti-omap4, natty and natty/ti-omap4. This
is a simple cherry-pick from mainline.
Proposing for maverick, maverick/ti-omap4, natty and natty/ti-omap4.
-apw
More information about the kernel-team
mailing list