video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write (0c93f29f) · Commits · Summer2022 / 22b970264

Commit 0c93f29f authored 2 years ago by

Hyunwoo Kim Committed by Yongqiang Liu 2 years ago

video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write

mainline inclusion
from mainline-v5.19-rc4
commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5PRMO


CVE: CVE-2022-39842

---------------------

In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
type int.  Then, copy_from_user() may cause a heap overflow because it is used
as the third argument of copy_from_user().

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Zhao Wenhui <zhaowenhui8@huawei.com>
Reviewed-by: Chen Hui <judy.chenhui@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent adb2f636

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 1 addition and 1 deletion

Please register or to comment