* [git:media_tree/master] media: v4l2-compat-ioctl32: prevent go past max size
@ 2018-04-17 9:50 Mauro Carvalho Chehab
0 siblings, 0 replies; only message in thread
From: Mauro Carvalho Chehab @ 2018-04-17 9:50 UTC (permalink / raw)
To: linuxtv-commits; +Cc: stable
This is an automatic generated email to let you know that the following patch were queued:
Subject: media: v4l2-compat-ioctl32: prevent go past max size
Author: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Date: Wed Apr 11 11:47:32 2018 -0400
As warned by smatch:
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'
The access_ok() logic should check for too big arrays too.
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 4312935f1dfc..d03a44d89649 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -871,7 +871,7 @@ static int put_v4l2_ext_controls32(struct file *file,
get_user(kcontrols, &kp->controls))
return -EFAULT;
- if (!count)
+ if (!count || count > (U32_MAX/sizeof(*ucontrols)))
return 0;
if (get_user(p, &up->controls))
return -EFAULT;
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-04-17 9:51 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-17 9:50 [git:media_tree/master] media: v4l2-compat-ioctl32: prevent go past max size Mauro Carvalho Chehab
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.