There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace passes in a large num_clips. The call to kmalloc would allocate a small buffer, and the call to fb->funcs->dirty may result in a memory corruption. Reported-by: Haogang Chen <haogangchen> Signed-off-by: Xi Wang <xi.wang> Upstream commit: http://git.kernel.org/linus/a5cd335165e31db9dbab636fd29895d41da55dd2 Acknowledgements: Red Hat would like to thank Chen Haogang for reporting this issue.
Added CVE-2012-0044 as per http://www.openwall.com/lists/oss-security/2012/01/12/1
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not backport commit 884840aa that introduced this issue.
Created kernel tracking bugs for this issue Affects: fedora-all [bug 782683]
To exploit this, the user has to log in under X or otherwise has r/w access to the dri path (group "video").
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0333 https://rhn.redhat.com/errata/RHSA-2012-0333.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0743 https://rhn.redhat.com/errata/RHSA-2012-0743.html
Is it possible to fix this bug without the new kernel from RedHat?
(In reply to comment #11) > Is it possible to fix this bug without the new kernel from RedHat? Sure. You can use upstream kernel that has this problem fixed (includes a5cd335165e31db9dbab636fd29895d41da55dd2 commit). You can even use recent Fedora kernels, they include the fix now as well.
This issue has been addressed in following products: Red Hat Enterprise Linux 6.1 EUS - Server Only Via RHSA-2012:1042 https://rhn.redhat.com/errata/RHSA-2012-1042.html