On Mon, Jun 27, 2022 at 10:20:41PM -0400, Sasha Levin wrote: > From: Hyunwoo Kim <imv4bel@xxxxxxxxx> > > [ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] > > In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of > type int. Then, copy_from_user() may cause a heap overflow because it is used > as the third argument of copy_from_user(). Why this commit is still not in the stable branches? Isn't this is the fix for CVE-2022-39842[1]? Thanks, [1] https://nvd.nist.gov/vuln/detail/CVE-2022-39842 > > Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx> > Signed-off-by: Helge Deller <deller@xxxxxx> > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> > --- > drivers/video/fbdev/pxa3xx-gcu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c > index 9421d14d0eb0..9e9888e40c57 100644 > --- a/drivers/video/fbdev/pxa3xx-gcu.c > +++ b/drivers/video/fbdev/pxa3xx-gcu.c > @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, > struct pxa3xx_gcu_batch *buffer; > struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); > > - int words = count / 4; > + size_t words = count / 4; > > /* Does not need to be atomic. There's a lock in user space, > * but anyhow, this is just for statistics. */ > -- > 2.35.1 >