On Mon, Jun 20, 2022 at 07:00:10AM -0700, Hyunwoo Kim wrote: > In pxa3xx_gcu_write, a count parameter of > type size_t is passed to words of type int. > Then, copy_from_user may cause a heap overflow because > it is used as the third argument of copy_from_user. > > Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx> > --- > drivers/video/fbdev/pxa3xx-gcu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c > index 043cc8f9ef1c..c3cd1e1cc01b 100644 > --- a/drivers/video/fbdev/pxa3xx-gcu.c > +++ b/drivers/video/fbdev/pxa3xx-gcu.c > @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, > struct pxa3xx_gcu_batch *buffer; > struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); > > - int words = count / 4; > + size_t words = count / 4; The count variable is actually capped at MAX_RW_COUNT in vfs_write() so "words" cannot be negative. This patch helps clean up the code but it does not affect run time. This is CVE-2022-39842. regards, dan carpenter PS: The other relavant code for people looking for integer overflows in read/write functions is in rw_verify_area(). That function prevents a lot of suspicious looking driver code from being exploitable.
