On Tue 2020-01-07 21:54:10, Greg Kroah-Hartman wrote:
> From: Daniel Vetter <daniel.vetter@xxxxxxxx>
>
> [ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ]
>
> The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
> ("uaccess: disallow > INT_MAX copy sizes")
> Code itself should have been fine as-is.
>
> Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@xxxxxxxx
> Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
> Reported-by: syzbot+fb77e97ebf0612ee6914@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
There is no such thing as commit 6a30afa8c1fb. Apparently this is
talking about commit "6d13de1489b6bf539695f96d945de3860e6d5e17", but
that one is not in 4.19-stable.
Do we need this in 4.19-stable?
Pavel
> +++ b/drivers/gpu/drm/drm_property.c
> @@ -556,7 +556,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
> struct drm_property_blob *blob;
> int ret;
>
> - if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> + if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
> return ERR_PTR(-EINVAL);
>
> blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature
