| Message ID | 20220611192851.GA482606@ubuntu |
|---|---|
| State | New |
| Headers | show |
| Series | pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write | expand |
Hi Hyunwoo, On 6/11/22 21:28, Hyunwoo Kim wrote: > In pxa3xx_gcu_write, a count parameter of > type size_t is passed to words of type int. > Then, copy_from_user may cause a heap overflow because > it is used as the third argument of copy_from_user. I suggest to simply change the type of "words" a few lines above: Instead of int words = count / 4; use size_t words = count / 4; count is already of type size_t and then you don't need to check against < 0. Can you resend such a patch? Helge > > Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> > --- > drivers/video/fbdev/pxa3xx-gcu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c > index 043cc8f9ef1c..5ca6d37e365f 100644 > --- a/drivers/video/fbdev/pxa3xx-gcu.c > +++ b/drivers/video/fbdev/pxa3xx-gcu.c > @@ -389,7 +389,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, > priv->shared->num_words += words; > > /* Last word reserved for batch buffer end command */ > - if (words >= PXA3XX_GCU_BATCH_WORDS) > + if (words >= PXA3XX_GCU_BATCH_WORDS || words < 0) > return -E2BIG; > > /* Wait for a free buffer */
On 6/20/22 16:17, Hyunwoo Kim wrote: > From 1c55d1e084071caf02e7739e71e65f52206e872c Mon Sep 17 00:00:00 2001 > From: Hyunwoo Kim <imv4bel@gmail.com> > Date: Mon, 20 Jun 2022 07:00:10 -0700 > Subject: [PATCH] pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write > > In pxa3xx_gcu_write, a count parameter of > type size_t is passed to words of type int. > Then, copy_from_user may cause a heap overflow because > it is used as the third argument of copy_from_user. > > Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> applied. Thanks! Helge > --- > drivers/video/fbdev/pxa3xx-gcu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c > index 043cc8f9ef1c..c3cd1e1cc01b 100644 > --- a/drivers/video/fbdev/pxa3xx-gcu.c > +++ b/drivers/video/fbdev/pxa3xx-gcu.c > @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, > struct pxa3xx_gcu_batch *buffer; > struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); > > - int words = count / 4; > + size_t words = count / 4; > > /* Does not need to be atomic. There's a lock in user space, > * but anyhow, this is just for statistics. */ > -- > 2.25.1 > > Hello Helge, > > Fixed the patch as requested. > > Regards, > Hyunwoo Kim
Thanks for your feedback. :)
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c index 043cc8f9ef1c..5ca6d37e365f 100644 --- a/drivers/video/fbdev/pxa3xx-gcu.c +++ b/drivers/video/fbdev/pxa3xx-gcu.c @@ -389,7 +389,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, priv->shared->num_words += words; /* Last word reserved for batch buffer end command */ - if (words >= PXA3XX_GCU_BATCH_WORDS) + if (words >= PXA3XX_GCU_BATCH_WORDS || words < 0) return -E2BIG; /* Wait for a free buffer */
In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user may cause a heap overflow because it is used as the third argument of copy_from_user. Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> --- drivers/video/fbdev/pxa3xx-gcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)