[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20191122100916.671409720@linuxfoundation.org>
Date: Fri, 22 Nov 2019 11:29:00 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Dan Carpenter <dan.carpenter@...cle.com>,
Peter Malone <peter.malone@...il.com>,
Philippe Ombredanne <pombredanne@...b.com>,
Mathieu Malaterre <malat@...ian.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Sasha Levin <sashal@...nel.org>
Subject: [PATCH 4.9 200/222] fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
From: Dan Carpenter <dan.carpenter@...cle.com>
[ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]
The "index + count" addition can overflow. Both come directly from the
user. This bug leads to an information leak.
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Peter Malone <peter.malone@...il.com>
Cc: Philippe Ombredanne <pombredanne@...b.com>
Cc: Mathieu Malaterre <malat@...ian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/video/fbdev/sbuslib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index b425718925c01..52e161dbd2047 100644
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -170,7 +170,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
get_user(ublue, &c->blue))
return -EFAULT;
- if (index + count > cmap->len)
+ if (index > cmap->len || count > cmap->len - index)
return -EINVAL;
for (i = 0; i < count; i++) {
--
2.20.1
Powered by blists - more mailing lists