On Wed, Nov 24, 2010 at 09:46:49AM +0300, Dan Carpenter wrote: > On Wed, Nov 24, 2010 at 03:25:58PM +0900, Paul Mundt wrote: > > On Sun, Nov 21, 2010 at 08:40:01PM +0300, Vasiliy Kulikov wrote: > > > (count + p) is not checked for integer overflow. If p < fbmemlength > > > and count == (size_t)(1 - p) (very big unsigned integer) then > > > count + p == 1 < fbmemlength and copy_to_user(base_addr+p, buf, count) > > > overflows base_addr. > > > > > > Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx> > > > > Applied, thanks. > > The patch is harmless, but the integer overflow would actually be caught > in rw_verify_area(). > Ah, so it is, I'll drop it then, thanks. -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html