[PATCH AUTOSEL 4.9 47/68] fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()

From: Sasha Levin
Date: Tue Nov 12 2019 - 21:01:11 EST


From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

[ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]

The "index + count" addition can overflow. Both come directly from the
user. This bug leads to an information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: Peter Malone <peter.malone@xxxxxxxxx>
Cc: Philippe Ombredanne <pombredanne@xxxxxxxx>
Cc: Mathieu Malaterre <malat@xxxxxxxxxx>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@xxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/video/fbdev/sbuslib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index b425718925c01..52e161dbd2047 100644
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -170,7 +170,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
get_user(ublue, &c->blue))
return -EFAULT;

- if (index + count > cmap->len)
+ if (index > cmap->len || count > cmap->len - index)
return -EINVAL;

for (i = 0; i < count; i++) {
--
2.20.1