Skip to content

Commit

Permalink
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
Browse files Browse the repository at this point in the history 
The "index + count" addition can overflow.  Both come directly from the
user.  This bug leads to an information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Peter Malone <peter.malone@gmail.com>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
  • Loading branch information
Dan Carpenter authored and Bartlomiej Zolnierkiewicz committed Oct 8, 2018
1 parent d8bad91 commit e501771
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/video/fbdev/sbuslib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
get_user(ublue, &c->blue))
return -EFAULT;

if (index + count > cmap->len)
if (index > cmap->len || count > cmap->len - index)
return -EINVAL;

for (i = 0; i < count; i++) {
Expand Down

0 comments on commit e501771

Please sign in to comment.