[PATCH 3/4] drm: fix unsigned vs signed comparison issue in modeset ctl ioctl, CVE-2011-1013

paolo.pisati at canonical.com paolo.pisati at canonical.com
Mon Jul 4 10:03:33 UTC 2011


From: Dave Airlie <airlied at redhat.com>

BugLink: http://bugs.launchpad.net/bugs/804229

CVE-2011-1013

commit 1922756124ddd53846877416d92ba4a802bc658f upstream.

This fixes CVE-2011-1013.

Reported-by: Matthiew Herrb (OpenBSD X.org team)
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
---
 drivers/gpu/drm/drm_irq.c |    3 ++-
 include/drm/drmP.h        |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index f298434..a60bf9f 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -513,7 +513,8 @@ int drm_modeset_ctl(struct drm_device *dev, void *data,
 		    struct drm_file *file_priv)
 {
 	struct drm_modeset_ctl *modeset = data;
-	int crtc, ret = 0;
+	int ret = 0;
+	unsigned int crtc;
 
 	/* If drm_vblank_init() hasn't been called yet, just no-op */
 	if (!dev->num_crtcs)
diff --git a/include/drm/drmP.h b/include/drm/drmP.h
index 4637dce..c012b01 100644
--- a/include/drm/drmP.h
+++ b/include/drm/drmP.h
@@ -989,7 +989,7 @@ struct drm_device {
 	struct pci_controller *hose;
 #endif
 	struct drm_sg_mem *sg;	/**< Scatter gather memory */
-	int num_crtcs;                  /**< Number of CRTCs on this device */
+	unsigned int num_crtcs;                  /**< Number of CRTCs on this device */
 	void *dev_private;		/**< device private data */
 	void *mm_private;
 	struct address_space *dev_mapping;
-- 
1.7.4.1





More information about the kernel-team mailing list