On Mon, Jun 20, 2022 at 07:00:10AM -0700, Hyunwoo Kim wrote:
In pxa3xx_gcu_write, a count parameter of
type size_t is passed to words of type int.
Then, copy_from_user may cause a heap overflow because
it is used as the third argument of copy_from_user.
Signed-off-by: Hyunwoo Kim <imv4bel@...>
drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 043cc8f9ef1c..c3cd1e1cc01b 100644
@@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
struct pxa3xx_gcu_batch *buffer;
struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
- int words = count / 4;
+ size_t words = count / 4;
The count variable is actually capped at MAX_RW_COUNT in vfs_write()
so "words" cannot be negative. This patch helps clean up the code but
it does not affect run time.
This is CVE-2022-39842.
PS: The other relavant code for people looking for integer overflows in
read/write functions is in rw_verify_area(). That function prevents a
lot of suspicious looking driver code from being exploitable.