From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hyunwoo Kim <imv4bel@gmail.com>, Helge Deller <deller@gmx.de>,
Sasha Levin <sashal@kernel.org>,
yangyingliang@huawei.com, yang.lee@linux.alibaba.com,
cai.huoqing@linux.dev, linux-fbdev@vger.kernel.org,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.4 13/27] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
Date: Mon, 27 Jun 2022 22:23:59 -0400 [thread overview]
Message-ID: <20220628022413.596341-13-sashal@kernel.org> (raw)
In-Reply-To: <20220628022413.596341-1-sashal@kernel.org>
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]
In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
type int. Then, copy_from_user() may cause a heap overflow because it is used
as the third argument of copy_from_user().
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 7c4694d70dac..15162b37f302 100644
--- a/drivers/video/fbdev/pxa3xx-gcu.c
+++ b/drivers/video/fbdev/pxa3xx-gcu.c
@@ -382,7 +382,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
struct pxa3xx_gcu_batch *buffer;
struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
- int words = count / 4;
+ size_t words = count / 4;
/* Does not need to be atomic. There's a lock in user space,
* but anyhow, this is just for statistics. */
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
linux-fbdev@vger.kernel.org, Helge Deller <deller@gmx.de>,
Hyunwoo Kim <imv4bel@gmail.com>,
dri-devel@lists.freedesktop.org, cai.huoqing@linux.dev,
yangyingliang@huawei.com, yang.lee@linux.alibaba.com
Subject: [PATCH AUTOSEL 5.4 13/27] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
Date: Mon, 27 Jun 2022 22:23:59 -0400 [thread overview]
Message-ID: <20220628022413.596341-13-sashal@kernel.org> (raw)
In-Reply-To: <20220628022413.596341-1-sashal@kernel.org>
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]
In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
type int. Then, copy_from_user() may cause a heap overflow because it is used
as the third argument of copy_from_user().
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 7c4694d70dac..15162b37f302 100644
--- a/drivers/video/fbdev/pxa3xx-gcu.c
+++ b/drivers/video/fbdev/pxa3xx-gcu.c
@@ -382,7 +382,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
struct pxa3xx_gcu_batch *buffer;
struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
- int words = count / 4;
+ size_t words = count / 4;
/* Does not need to be atomic. There's a lock in user space,
* but anyhow, this is just for statistics. */
--
2.35.1
next prev parent reply other threads:[~2022-06-28 2:30 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-28 2:23 [PATCH AUTOSEL 5.4 01/27] spi: spi-cadence: Fix SPI CS gets toggling sporadically Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 02/27] spi: cadence: Detect transmit FIFO depth Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 03/27] ALSA: usb-audio: US16x08: Move overflow check before array access Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 04/27] drm/vc4: crtc: Use an union to store the page flip callback Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 05/27] drm/vc4: crtc: Move the BO handling out of common page-flip callback Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 06/27] ALSA: x86: intel_hdmi_audio: enable pm_runtime and set autosuspend delay Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 07/27] ALSA: x86: intel_hdmi_audio: use pm_runtime_resume_and_get() Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 08/27] hamradio: 6pack: fix array-index-out-of-bounds in decode_std_command() Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 09/27] drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in vxge-main.c Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 10/27] powerpc/prom_init: Fix build failure with GCC_PLUGIN_STRUCTLEAK_BYREF_ALL and KASAN Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 11/27] video: fbdev: skeletonfb: Fix syntax errors in comments Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 12/27] video: fbdev: intelfb: Use aperture size from pci_resource_len Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` Sasha Levin [this message]
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 13/27] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 14/27] video: fbdev: simplefb: Check before clk_put() not needed Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 15/27] btrfs: do not BUG_ON() on failure to migrate space when replacing extents Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 16/27] arch: mips: generic: Add missing of_node_put() in board-ranchu.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 17/27] mips: mti-malta: Fix refcount leak in malta-time.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 18/27] mips: ralink: Fix refcount leak in of.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 19/27] mips: lantiq: falcon: Fix refcount leak bug in sysctrl Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 20/27] mips: lantiq: xway: " Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 21/27] mips/pic32/pic32mzda: Fix refcount leak bugs Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 22/27] mips: lantiq: Add missing of_node_put() in irq.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 23/27] drm/sun4i: Add DMA mask and segment size Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 24/27] drm/sun4i: Return if frontend is not present Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 25/27] drm/amdgpu: Adjust logic around GTT size (v3) Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 26/27] nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 27/27] arm: mach-spear: Add missing of_node_put() in time.c Sasha Levin
2022-06-28 2:24 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220628022413.596341-13-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=cai.huoqing@linux.dev \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=imv4bel@gmail.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yang.lee@linux.alibaba.com \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.