Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2260582rwb; Mon, 19 Sep 2022 02:13:01 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4yHNCYDYl4jvuy7LrTbkGhIxEJbyaHCjGOO8+N59lX2nnyvuusygvd4Q999UqtAVJ+DWAb X-Received: by 2002:a17:902:f644:b0:172:b074:d1f5 with SMTP id m4-20020a170902f64400b00172b074d1f5mr12036118plg.29.1663578781027; Mon, 19 Sep 2022 02:13:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663578781; cv=none; d=google.com; s=arc-20160816; b=Ox+jtCQI7/HyjpPDw9MR6uwRRkByciLfWZVB7GADSRb398TDtT6kYZK3MRPQ0+oBI0 ruZ9CUumkSeYixF34WQ0OhRhM9z4Av4QB/HPsRDcUyCgLq1+A10R3OfZAIOLIgp0yVpG tQTJroB/RWXPMZ5FdRMw2qeHn0onv486rc9PyXAJQo/j6ZVIhH1mwtDycQO6GKBhUQv2 0rPk3rh/3Y0TQdtOy0J65xbVWFaS1JLhyrLZ2jItC1N3YvABxwr7SJf1q10oJMqhs2Nl PfWlj12haVS0CDeSWwZbyC8NWKcnw/zkN3YA1Nj+SqcYcn3BWavU8Wsbv+5mNR7iUBbX Bh9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=1aGoEDXaNr8zO1cSwNDIg95tOkuzCzoGbpjI7HddXGs=; b=cFxrBHWw6TKGaGnD2GALNA3R5c6Jyq+eiE1Aa0nNmz2aaGFunaXF7DfUd+6CygADWP DlomfeU0aMjKA4CiP3ZCmxzIaNcEiDwr3+l2pSvAFP0QVyqUJRY5tCThVS5oE7C1rV0o IBJvWYypmGIsslKO5JT5QnztMecTFXtkHhzmHzcM40H+wiO0YOe/rGWC2T6XrsfzbI1v NP0gA9tbWB6+dZI6HA1AzyGwUFlRDzoAT5hY/NEjtyiobX7m0aD3K3Zn34myj2HMenGZ O5hXMSgDu6NB4VMLez6QyL416mQ6kGNgm5kJA9MXzRJjyqxN62Zf6K77pZffgscOjm/+ v38g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m5-20020a170902db0500b00176e226934dsi34738137plx.367.2022.09.19.02.12.50; Mon, 19 Sep 2022 02:13:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229822AbiISIVz (ORCPT + 99 others); Mon, 19 Sep 2022 04:21:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229731AbiISIVt (ORCPT ); Mon, 19 Sep 2022 04:21:49 -0400 Received: from vmicros1.altlinux.org (vmicros1.altlinux.org [194.107.17.57]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4458820BEE; Mon, 19 Sep 2022 01:21:47 -0700 (PDT) Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 6475D72C90B; Mon, 19 Sep 2022 11:21:45 +0300 (MSK) Received: from altlinux.org (sole.flsd.net [185.75.180.6]) by imap.altlinux.org (Postfix) with ESMTPSA id 609B44A472A; Mon, 19 Sep 2022 11:21:43 +0300 (MSK) Date: Mon, 19 Sep 2022 11:21:43 +0300 From: Vitaly Chikunov To: Sasha Levin , Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH AUTOSEL 5.15 22/41] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write Message-ID: <20220919082143.g4gn5ssbzolnc57b@altlinux.org> References: <20220628022100.595243-1-sashal@kernel.org> <20220628022100.595243-22-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20220628022100.595243-22-sashal@kernel.org> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 27, 2022 at 10:20:41PM -0400, Sasha Levin wrote: > From: Hyunwoo Kim > > [ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] > > In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of > type int. Then, copy_from_user() may cause a heap overflow because it is used > as the third argument of copy_from_user(). Why this commit is still not in the stable branches? Isn't this is the fix for CVE-2022-39842[1]? Thanks, [1] https://nvd.nist.gov/vuln/detail/CVE-2022-39842 > > Signed-off-by: Hyunwoo Kim > Signed-off-by: Helge Deller > Signed-off-by: Sasha Levin > --- > drivers/video/fbdev/pxa3xx-gcu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c > index 9421d14d0eb0..9e9888e40c57 100644 > --- a/drivers/video/fbdev/pxa3xx-gcu.c > +++ b/drivers/video/fbdev/pxa3xx-gcu.c > @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, > struct pxa3xx_gcu_batch *buffer; > struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); > > - int words = count / 4; > + size_t words = count / 4; > > /* Does not need to be atomic. There's a lock in user space, > * but anyhow, this is just for statistics. */ > -- > 2.35.1 >