In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)".
diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c
index d0d832a..bd1f826 100644
--- a/arch/mips/kernel/vpe.c_org
+++ b/arch/mips/kernel/vpe.c
@@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer,
if (v == NULL)
return -ENODEV;
- if ((count + v->len) > v->plen) {
+ if ((count + v->len) > v->plen || count + v->len > v->len) {
pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n");
return -ENOMEM;
}
