Hi Hyunwoo,
On 6/11/22 21:28, Hyunwoo Kim wrote:
> In pxa3xx_gcu_write, a count parameter of
> type size_t is passed to words of type int.
> Then, copy_from_user may cause a heap overflow because
> it is used as the third argument of copy_from_user.
I suggest to simply change the type of "words" a few lines above:
Instead of
int words = count / 4;
use
size_t words = count / 4;
count is already of type size_t and then you don't need to check against < 0.
Can you resend such a patch?
Helge
>
> Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx>
> ---
> drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
> index 043cc8f9ef1c..5ca6d37e365f 100644
> --- a/drivers/video/fbdev/pxa3xx-gcu.c
> +++ b/drivers/video/fbdev/pxa3xx-gcu.c
> @@ -389,7 +389,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
> priv->shared->num_words += words;
>
> /* Last word reserved for batch buffer end command */
> - if (words >= PXA3XX_GCU_BATCH_WORDS)
> + if (words >= PXA3XX_GCU_BATCH_WORDS || words < 0)
> return -E2BIG;
>
> /* Wait for a free buffer */
