On Mon, 23 Apr 2012 04:06:42 -0400, Xi Wang <xi.wang at gmail.com> wrote: > On 32-bit systems, a large args->num_cliprects from userspace via ioctl > may overflow the allocation size, leading to out-of-bounds access. > > This vulnerability was introduced in commit 432e58ed ("drm/i915: Avoid > allocation for execbuffer object list"). > > Signed-off-by: Xi Wang <xi.wang at gmail.com> > Cc: Chris Wilson <chris at chris-wilson.co.uk> > Cc: stable at vger.kernel.org Reviewed-by: Chris Wilson <chris at chris-wilson.co.uk> -Chris -- Chris Wilson, Intel Open Source Technology Centre