diff options
| author | Dan Carpenter <[email protected]> | 2018-10-08 12:57:36 +0200 |
|---|---|---|
| committer | Bartlomiej Zolnierkiewicz <[email protected]> | 2018-10-08 12:57:36 +0200 |
| commit | e5017716adb8aa5c01c52386c1b7470101ffe9c5 (patch) | |
| tree | 9fe13b9419608329515b18beee4a922fab4d68fa | |
| parent | d8bad911e5e55e228d59c0606ff7e6b8131ca7bf (diff) | |
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
The "index + count" addition can overflow. Both come directly from the
user. This bug leads to an information leak.
Signed-off-by: Dan Carpenter <[email protected]>
Cc: Peter Malone <[email protected]>
Cc: Philippe Ombredanne <[email protected]>
Cc: Mathieu Malaterre <[email protected]>
Signed-off-by: Bartlomiej Zolnierkiewicz <[email protected]>
| -rw-r--r-- | drivers/video/fbdev/sbuslib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c index 90c51330969c..01a7110e61a7 100644 --- a/drivers/video/fbdev/sbuslib.c +++ b/drivers/video/fbdev/sbuslib.c @@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, get_user(ublue, &c->blue)) return -EFAULT; - if (index + count > cmap->len) + if (index > cmap->len || count > cmap->len - index) return -EINVAL; for (i = 0; i < count; i++) { |