* [PATCH] video: kyro: fix incorrect sizes when copying to userspace
@ 2013-11-19 19:25 Sasha Levin
2013-11-26 14:40 ` Tomi Valkeinen
0 siblings, 1 reply; 2+ messages in thread
From: Sasha Levin @ 2013-11-19 19:25 UTC (permalink / raw)
To: plagnioj, tomi.valkeinen; +Cc: gregkh, linux-fbdev, linux-kernel, Sasha Levin
kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.
This would copy more data than intended and cause memory corruption and might
leak kernel memory.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
drivers/video/kyro/fbdev.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/video/kyro/fbdev.c b/drivers/video/kyro/fbdev.c
index 50c8574..65041e1 100644
--- a/drivers/video/kyro/fbdev.c
+++ b/drivers/video/kyro/fbdev.c
@@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info,
return -EINVAL;
}
case KYRO_IOCTL_UVSTRIDE:
- if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
+ if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
return -EFAULT;
break;
case KYRO_IOCTL_STRIDE:
- if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
+ if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
return -EFAULT;
break;
case KYRO_IOCTL_OVERLAY_OFFSET:
- if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
+ if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
return -EFAULT;
break;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] video: kyro: fix incorrect sizes when copying to userspace
2013-11-19 19:25 [PATCH] video: kyro: fix incorrect sizes when copying to userspace Sasha Levin
@ 2013-11-26 14:40 ` Tomi Valkeinen
0 siblings, 0 replies; 2+ messages in thread
From: Tomi Valkeinen @ 2013-11-26 14:40 UTC (permalink / raw)
To: Sasha Levin, plagnioj; +Cc: gregkh, linux-fbdev, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]
On 2013-11-19 21:25, Sasha Levin wrote:
> kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.
>
> This would copy more data than intended and cause memory corruption and might
> leak kernel memory.
>
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> ---
> drivers/video/kyro/fbdev.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/video/kyro/fbdev.c b/drivers/video/kyro/fbdev.c
> index 50c8574..65041e1 100644
> --- a/drivers/video/kyro/fbdev.c
> +++ b/drivers/video/kyro/fbdev.c
> @@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info,
> return -EINVAL;
> }
> case KYRO_IOCTL_UVSTRIDE:
> - if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
> + if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
> return -EFAULT;
> break;
> case KYRO_IOCTL_STRIDE:
> - if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
> + if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
> return -EFAULT;
> break;
> case KYRO_IOCTL_OVERLAY_OFFSET:
> - if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
> + if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
> return -EFAULT;
> break;
> }
>
Thanks, applied for 3.13 fixes.
Tomi
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 901 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-26 14:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-11-19 19:25 [PATCH] video: kyro: fix incorrect sizes when copying to userspace Sasha Levin
2013-11-26 14:40 ` Tomi Valkeinen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).