Published: 19 August 2010

The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before, 2.6.32.x before, 2.6.34.x before, and 2.6.35.x before allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount.

From the Ubuntu security team

Kees Cook discovered that under certain situations the ioctl subsystem for DRM did not properly sanitize its arguments. A local attacker could exploit this to read previously freed kernel memory, leading to a loss of privacy.