In the vpe_write function of arch/mips/kernel/vpe.c,parameter "size_t
count" is pass by userland, if "count" is very large, it will bypass
the check of "if ((count + v->len) > v->plen)".(such as
count=0xffffffffffffffff). Then it will lead to buffer overflow in
"copy_from_user(v->pbuffer + v->len, buffer, count)".
Signed-off-by: Ning Qiang <sohu0106@xxxxxxx>
---
arch/mips/kernel/vpe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/mips/kernel/vpe.c b/arch/mips/kernel/vpe.c
index 13294972707b..1529e755200d 100644
--- a/arch/mips/kernel/vpe.c
+++ b/arch/mips/kernel/vpe.c
@@ -849,7 +849,7 @@ static ssize_t vpe_write(struct file *file, const char __user *buffer,
if (v == NULL)
return -ENODEV;
- if ((count + v->len) > v->plen) {
+ if ((count + v->len) > v->plen || count + v->len < v->len) {
pr_warn("VPE loader: elf size too big. Perhaps strip unneeded symbols\n");
return -ENOMEM;
}
--
2.25.1
