Xi Wang a5cd335165 drm: integer overflow in drm_mode_dirtyfb_ioctl() ...

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

2011-11-23 08:59:28 +00:00

..

i2c

…

ttm

Revert "drm/ttm: add a way to bo_wait for either the last read or last write"

2011-10-27 18:28:37 +02:00

drm_buffer.h

…

drm_cache.h

…

drm_core.h

…

drm_crtc_helper.h

…

drm_crtc.h

drm: support routines for HDMI/DP ELD

2011-09-21 14:52:41 -07:00

drm_dp_helper.h

drm/radeon/kms: properly set panel mode for eDP

2011-11-01 16:01:58 +00:00

drm_edid.h

drm: support routines for HDMI/DP ELD

2011-09-21 14:52:41 -07:00

drm_encoder_slave.h

…

drm_fb_helper.h

…

drm_fixed.h

…

drm_global.h

…

drm_hashtab.h

…

drm_mem_util.h

…

drm_memory.h

…

drm_mm.h

…

drm_mode.h

drm: integer overflow in drm_mode_dirtyfb_ioctl()

2011-11-23 08:59:28 +00:00

drm_os_linux.h

…

drm_pciids.h

drm/radeon: add some missing FireMV pci ids

2011-11-15 19:43:06 +00:00

drm_sarea.h

…

drm_sman.h

…

drm_sysfs.h

…

drm_usb.h

…

drm.h

…

drmP.h

drm: serialize access to list of debugfs files

2011-11-11 11:05:19 +00:00

exynos_drm.h

drm/exynos: added padding to be 64-bit align.

2011-11-11 12:01:49 +00:00

i810_drm.h

…

i915_drm.h

drm/i915: Fix typo in DRM_I915_OVERLAY_PUT_IMAGE ioctl define

2011-07-22 13:36:44 -07:00

intel-gtt.h

drm/i915: ILK + VT-d workaround

2011-10-20 15:26:39 -07:00

Kbuild

…

mga_drm.h

…

nouveau_drm.h

…

r128_drm.h

…

radeon_drm.h

drm/radeon/kms: add a CS ioctl flag not to rewrite tiling flags in the CS

2011-11-20 07:53:13 +00:00

savage_drm.h

…

sis_drm.h

…

via_drm.h

…

vmwgfx_drm.h

vmwgfx: Reinstate the update_layout ioctl

2011-11-02 08:30:31 +00:00