Re: [PATCH AUTOSEL 5.15 22/41] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write

From: Vitaly Chikunov
Date: Mon Sep 19 2022 - 04:21:57 EST


On Mon, Jun 27, 2022 at 10:20:41PM -0400, Sasha Levin wrote:
> From: Hyunwoo Kim <imv4bel@xxxxxxxxx>
>
> [ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]
>
> In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
> type int. Then, copy_from_user() may cause a heap overflow because it is used
> as the third argument of copy_from_user().

Why this commit is still not in the stable branches?
Isn't this is the fix for CVE-2022-39842[1]?

Thanks,

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-39842

>
> Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx>
> Signed-off-by: Helge Deller <deller@xxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
> index 9421d14d0eb0..9e9888e40c57 100644
> --- a/drivers/video/fbdev/pxa3xx-gcu.c
> +++ b/drivers/video/fbdev/pxa3xx-gcu.c
> @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
> struct pxa3xx_gcu_batch *buffer;
> struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
>
> - int words = count / 4;
> + size_t words = count / 4;
>
> /* Does not need to be atomic. There's a lock in user space,
> * but anyhow, this is just for statistics. */
> --
> 2.35.1
>