projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c2ddc14)
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 8 Oct 2018 10:57:36 +0000 (12:57 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 24 Nov 2019 07:23:21 +0000 (08:23 +0100)
[ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]

The "index + count" addition can overflow.  Both come directly from the
user.  This bug leads to an information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Peter Malone <peter.malone@gmail.com>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/video/fbdev/sbuslib.c patch | blob | blame | history

diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index 90c51330969c2f027b4e2e83f98457db7f0265cf..01a7110e61a76a19167fae82d71e1f9efdb312e3 100644 (file)
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
                    get_user(ublue, &c->blue))
                        return -EFAULT;
 
-               if (index + count > cmap->len)
+               if (index > cmap->len || count > cmap->len - index)
                        return -EINVAL;
 
                for (i = 0; i < count; i++) {