Commit bf3ba62a authored by Hyunwoo Kim's avatar Hyunwoo Kim Committed by Zheng Zengkai
Browse files

video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write 

mainline inclusion
from mainline-v5.19-rc4
commit a09d2d00
category: bugfix
bugzilla: 187590, https://gitee.com/src-openeuler/kernel/issues/I5PRMO
CVE: CVE-2022-39842

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7



---------------------

In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
type int.  Then, copy_from_user() may cause a heap overflow because it is used
as the third argument of copy_from_user().

Signed-off-by: default avatarHyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: default avatarHelge Deller <deller@gmx.de>
Signed-off-by: default avatarZhao Wenhui <zhaowenhui8@huawei.com>
Signed-off-by: default avatarZheng Zucheng <zhengzucheng@huawei.com>
Reviewed-by: default avatarZhang Qiao <zhangqiao22@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 6878e6d8
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment