drm: fix unsigned vs signed comparison issue in modeset ctl ioctl.
Dave Airlie [Wed, 23 Feb 2011 22:35:06 +0000 (08:35 +1000)]
This fixes CVE-2011-1013.

Reported-by: Matthiew Herrb (OpenBSD X.org team)
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

drivers/gpu/drm/drm_irq.c
include/drm/drmP.h

index 53120a7..28d1d3c 100644 (file)
@@ -1012,7 +1012,8 @@ int drm_modeset_ctl(struct drm_device *dev, void *data,
                    struct drm_file *file_priv)
 {
        struct drm_modeset_ctl *modeset = data;
-       int crtc, ret = 0;
+       int ret = 0;
+       unsigned int crtc;
 
        /* If drm_vblank_init() hasn't been called yet, just no-op */
        if (!dev->num_crtcs)
index fe29aad..348843b 100644 (file)
@@ -1101,7 +1101,7 @@ struct drm_device {
        struct platform_device *platformdev; /**< Platform device struture */
 
        struct drm_sg_mem *sg;  /**< Scatter gather memory */
-       int num_crtcs;                  /**< Number of CRTCs on this device */
+       unsigned int num_crtcs;                  /**< Number of CRTCs on this device */
        void *dev_private;              /**< device private data */
        void *mm_private;
        struct address_space *dev_mapping;