Commit e5017716 authored Oct 08, 2018 by Dan Carpenter Committed by Bartlomiej Zolnierkiewicz Oct 08, 2018

fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()

The "index + count" addition can overflow.  Both come directly from the
user.  This bug leads to an information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Peter Malone <peter.malone@gmail.com>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>

parent d8bad911

drivers/video/fbdev/sbuslib.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
		get_user(ublue, &c->blue))
		return -EFAULT;

		if (index + count > cmap->len)
		if (index > cmap->len \|\| count > cmap->len - index)
		return -EINVAL;

		for (i = 0; i < count; i++) {