Re: [PATCH] pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write

From: Helge Deller <deller@gmx.de>
Date: 2022-06-20 12:51:32

Hi Hyunwoo,

On 6/11/22 21:28, Hyunwoo Kim wrote:

In pxa3xx_gcu_write, a count parameter of
type size_t is passed to words of type int.
Then, copy_from_user may cause a heap overflow because
it is used as the third argument of copy_from_user.

I suggest to simply change the type of "words" a few lines above:
Instead of
        int words = count / 4;
use
        size_t words = count / 4;

count is already of type size_t and then you don't need to check against < 0.

Can you resend such a patch?

Helge

quoted hunk ↗ jump to hunk

Signed-off-by: Hyunwoo Kim <redacted>
---
 drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 043cc8f9ef1c..5ca6d37e365f 100644
--- a/drivers/video/fbdev/pxa3xx-gcu.c
+++ b/drivers/video/fbdev/pxa3xx-gcu.c

@@ -389,7 +389,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
 	priv->shared->num_words += words;

 	/* Last word reserved for batch buffer end command */
-	if (words >= PXA3XX_GCU_BATCH_WORDS)
+	if (words >= PXA3XX_GCU_BATCH_WORDS || words < 0)
 		return -E2BIG;

 	/* Wait for a free buffer */

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help