824178 – (CVE-2012-2384) CVE-2012-2384 kernel: drm/i915: integer overflow in i915_gem_do_execbuffer()

Bug 824178 (CVE-2012-2384) - CVE-2012-2384 kernel: drm/i915: integer overflow in i915_gem_do_execbuffer()

Summary: CVE-2012-2384 kernel: drm/i915: integer overflow in i915_gem_do_execbuffer()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-2384
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	824561 824563 824564 824565
Blocks:	824180
TreeView+	depends on / blocked

Reported:	2012-05-22 21:48 UTC by Petr Matousek
Modified:	2021-02-23 14:44 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-24 12:39:57 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1304	0	normal	SHIPPED_LIVE	Moderate: kernel security and bug fix update	2012-09-25 22:58:04 UTC

Description Petr Matousek 2012-05-22 21:48:06 UTC

Description of the problem:
On 32-bit systems, a large args->num_cliprects from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access.

References:
http://www.openwall.com/lists/oss-security/2012/05/21/1

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=44afb3a04391a74309d16180d1e4f8386fdfa745

Comment 1 Josh Boyer 2012-05-23 16:03:39 UTC

FYI.  This was fixed in 3.3.5 (stable commit 4a265435c87b19175c3906ff49ffe5bf4a4cc228).  All Fedora branches are on that or newer already.

Comment 2 Josh Boyer 2012-05-23 16:04:15 UTC

Sorry, that should have been stable commit 9f4660213e58b3b78dc75bf3e3b4126dbe9a0b14

Comment 5 Petr Matousek 2012-07-04 05:33:30 UTC

Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2. This issue was addressed in Red Hat Enterprise Linux 6 via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html.

Comment 6 errata-xmlrpc 2012-09-25 18:59:53 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html

Note You need to log in before you can comment on or make changes to this bug.

agordeev
airlied
anton
arozansk
bhu
davej
dhoward
fhrbata
gansalmon
itamar
jforbes
jkacur
jonathan
jwboyer
kernel-maint
kernel-mgr
lgoncalv
lwang
madhu.chinakonda
mmilgram
mrg-program-list
plougher
sforsber
williams