diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2018-10-08 12:57:36 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-11-25 15:54:47 +0100 |
commit | c0dea2024671239aa31b4921e61fab67295d1517 (patch) | |
tree | 9e4324a75ea4f5cfde3d2757ab377c0a66c19b20 | |
parent | 6fc10fb9663d45eaafc353bcfae09badb8585a7f (diff) |
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
[ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]
The "index + count" addition can overflow. Both come directly from the
user. This bug leads to an information leak.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Peter Malone <peter.malone@gmail.com>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | drivers/video/fbdev/sbuslib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c index b425718925c0..52e161dbd204 100644 --- a/drivers/video/fbdev/sbuslib.c +++ b/drivers/video/fbdev/sbuslib.c @@ -170,7 +170,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, get_user(ublue, &c->blue)) return -EFAULT; - if (index + count > cmap->len) + if (index > cmap->len || count > cmap->len - index) return -EINVAL; for (i = 0; i < count; i++) { |