There is a potential integer overflow in
drm_mode_dirtyfb_ioctl() if userspace passes in a large
num_clips. The call to kmalloc would allocate a small
buffer, and the call to fb->funcs->dirty may result in a
This problem was introduced in maverick, and fixes for it have hit
oneiric and later via mainline and stable. Following this email is a
patch for maverick, maverick/ti-omap4, natty and natty/ti-omap4. This
is a simple cherry-pick from mainline.
Proposing for maverick, maverick/ti-omap4, natty and natty/ti-omap4.
Tim Gardner firstname.lastname@example.org
kernel-team mailing list