Re: [PATCH] MIPS: vpe: fix integer overflow in vpe_write()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 14, 2022 at 10:17:05PM +0800, Ning Qiang wrote:
> In the vpe_write function of arch/mips/kernel/vpe.c,parameter "size_t
> count" is pass by userland, if "count" is very large, it will bypass
> the check of "if ((count + v->len) > v->plen)".(such as
> count=0xffffffffffffffff). Then it will lead to buffer overflow in
> "copy_from_user(v->pbuffer + v->len, buffer, count)".
> 
> Signed-off-by: Ning Qiang <sohu0106@xxxxxxx>
> ---

Thanks!

Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

regards,
dan carpenter




[Index of Archives]     [LKML Archive]     [Linux ARM Kernel]     [Linux ARM]     [Git]     [Yosemite News]     [Linux SCSI]     [Linux Hams]

  Powered by Linux