Description:
It has been found that drm_modeset_ctl() did not properly validate input parameters. The issue is that the crtc variable there is signed. So a large enough value passed in the modeset parameter structure will be treated as negative, escaping the check for proper range later. This variable is later used as an index variable effectively allowing out of bounds writes of zero integers.
Statement:
This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 4, 5 as they did not include the affected functionality. A future update in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG may address this flaw.