Vigil@nce - Linux kernel: integer overflow of_gem_execbuffer_relocate_slow
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can trigger an integer overflow in the i915
driver, in order to stop the system, or to execute code.
– Impacted products: Fedora, Linux
– Severity: 2/4
– Creation date: 12/03/2013
DESCRIPTION OF THE VULNERABILITY
The drivers/gpu/drm/i915/i915_gem_execbuffer.c file implements the
support of Intel i915 video devices.
The i915_gem_execbuffer_relocate_slow() function performs memory
copies. The total size of copies is stored in an integer. However,
this integer can overflow, which leads to the allocation of a too
short memory area.
A local attacker can therefore trigger an integer overflow in the
i915 driver, in order to stop the system, or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN