On 2013-11-19 21:25, Sasha Levin wrote: > kyro would copy u32s and specify sizeof(unsigned long) as the size to copy. > > This would copy more data than intended and cause memory corruption and might > leak kernel memory. > > Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx> > --- > drivers/video/kyro/fbdev.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/video/kyro/fbdev.c b/drivers/video/kyro/fbdev.c > index 50c8574..65041e1 100644 > --- a/drivers/video/kyro/fbdev.c > +++ b/drivers/video/kyro/fbdev.c > @@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info, > return -EINVAL; > } > case KYRO_IOCTL_UVSTRIDE: > - if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long))) > + if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride))) > return -EFAULT; > break; > case KYRO_IOCTL_STRIDE: > - if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long))) > + if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride))) > return -EFAULT; > break; > case KYRO_IOCTL_OVERLAY_OFFSET: > - if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long))) > + if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset))) > return -EFAULT; > break; > } > Thanks, applied for 3.13 fixes. Tomi
Attachment:
signature.asc
Description: OpenPGP digital signature
