UPSTREAM: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write [ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user() may cause a heap overflow because it is used as the third argument of copy_from_user(). Bug: 245928838 Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I9e21917a52e2cb78cc640a77a6eba21838aa8655 Signed-off-by: Lee Jones <joneslee@google.com>

commit: b7ae16d4cb5c5ec0824aa8fa838fc242df1d5f00 [log] [tgz]
author: Hyunwoo Kim <imv4bel@gmail.com> Mon Jun 20 07:17:46 2022 -0700
committer: Lee Jones <joneslee@google.com> Thu Dec 22 23:03:22 2022 +0000
tree: de43b5b3e2ac53a9158ff9338bece00b87319428
parent: 802da52358ed93c0320ce9c7d0c7944e8231743d [diff]
diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
index 4279e13..3f23064 100644
--- a/drivers/video/fbdev/pxa3xx-gcu.c
+++ b/drivers/video/fbdev/pxa3xx-gcu.c

@@ -381,7 +381,7 @@
 	struct pxa3xx_gcu_batch	*buffer;
 	struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
 
-	int words = count / 4;
+	size_t words = count / 4;
 
 	/* Does not need to be atomic. There's a lock in user space,
 	 * but anyhow, this is just for statistics. */
commit	b7ae16d4cb5c5ec0824aa8fa838fc242df1d5f00	[log] [tgz]
author	Hyunwoo Kim <imv4bel@gmail.com>	Mon Jun 20 07:17:46 2022 -0700
committer	Lee Jones <joneslee@google.com>	Thu Dec 22 23:03:22 2022 +0000
tree	de43b5b3e2ac53a9158ff9338bece00b87319428
parent	802da52358ed93c0320ce9c7d0c7944e8231743d [diff]