>From 1c55d1e084071caf02e7739e71e65f52206e872c Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim <imv4bel@xxxxxxxxx> Date: Mon, 20 Jun 2022 07:00:10 -0700 Subject: [PATCH] pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user may cause a heap overflow because it is used as the third argument of copy_from_user. Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx> --- drivers/video/fbdev/pxa3xx-gcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c index 043cc8f9ef1c..c3cd1e1cc01b 100644 --- a/drivers/video/fbdev/pxa3xx-gcu.c +++ b/drivers/video/fbdev/pxa3xx-gcu.c @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, struct pxa3xx_gcu_batch *buffer; struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); - int words = count / 4; + size_t words = count / 4; /* Does not need to be atomic. There's a lock in user space, * but anyhow, this is just for statistics. */ -- 2.25.1 Hello Helge, Fixed the patch as requested. Regards, Hyunwoo Kim
