diff options
| author | Hyunwoo Kim <imv4bel@gmail.com> | 2022-09-08 15:07:37 +0800 |
|---|---|---|
| committer | Zheng Zengkai <zhengzengkai@huawei.com> | 2022-09-20 10:56:40 +0800 |
| commit | fc34eb6878649665a890f4c1871dcfea1adfda0c (patch) | |
| tree | 7362a85c491c1cca6d7ce3d81984eb17870cffa3 | |
| parent | 17e07b09fc2b14b537ac0636d2dbcc7da2241e82 (diff) | |
| download | openEuler-kernel-fc34eb6878649665a890f4c1871dcfea1adfda0c.tar.gz | |
video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
mainline inclusion
from mainline-5.19-rc4
commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5PRMO
CVE: CVE-2022-39842
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7
--------------------------------
In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
type int. Then, copy_from_user() may cause a heap overflow because it is used
as the third argument of copy_from_user().
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: huhai <huhai@kylinos.cn>
| -rw-r--r-- | drivers/video/fbdev/pxa3xx-gcu.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c index 4279e13a3b58dc..3f23064199476b 100644 --- a/drivers/video/fbdev/pxa3xx-gcu.c +++ b/drivers/video/fbdev/pxa3xx-gcu.c @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, struct pxa3xx_gcu_batch *buffer; struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); - int words = count / 4; + size_t words = count / 4; /* Does not need to be atomic. There's a lock in user space, * but anyhow, this is just for statistics. */ |