Description: It has been found that drm_modeset_ctl() did not properly validate input parameters. The issue is that the crtc variable there is signed. So a large enough value passed in the modeset parameter structure will be treated as negative, escaping the check for proper range later. This variable is later used as an index variable effectively allowing out of bounds writes of zero integers.
Created attachment 480579 [details] OpenBSD proposed patch
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5 as they did not include the affected functionality. A future update in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG may address this flaw.
Created attachment 480596 [details] Linux proposed patch
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/drm/drm_irq.c.diff?r1=1.41;r2=1.42;f=h
Upstream commit: http://git.kernel.org/linus/1922756124ddd53846877416d92ba4a802bc658f
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0498 https://rhn.redhat.com/errata/RHSA-2011-0498.html