diff options
author | Matt Mackall <mpm@selenic.com> | 2007-07-19 11:30:14 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-19 14:21:04 -0700 |
commit | 5a021e9ffd56c22700133ebc37d607f95be8f7bd (patch) | |
tree | 0d289c7feec4e7b3b19c7c312e8cb31532c5b9c9 /drivers/video/cfbcopyarea.c | |
parent | f745bb1c73e2395e6b9961d4d915a8f8e2cd32cd (diff) |
random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/video/cfbcopyarea.c')
0 files changed, 0 insertions, 0 deletions