fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()

[ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ] The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Peter Malone <peter.malone@gmail.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: Mathieu Malaterre <malat@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2018-10-08 13:57:36 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-11-25 11:53:41 +0300
commit: 8077c98ce4c154d2f4dfcabb775daab4f8a3f421 (patch)
tree: 19156d3936ac346827a71db1d37a3c594f15b411 /drivers/video
parent: e6bb4dca56e88a78a344c4a4888992874da3d2a1 (diff)
download: linux-8077c98ce4c154d2f4dfcabb775daab4f8a3f421.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index b425718925c0..52e161dbd204 100644
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -170,7 +170,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
 		    get_user(ublue, &c->blue))
 			return -EFAULT;
 
-		if (index + count > cmap->len)
+		if (index > cmap->len || count > cmap->len - index)
 			return -EINVAL;
 
 		for (i = 0; i < count; i++) {
author	Dan Carpenter <dan.carpenter@oracle.com>	2018-10-08 13:57:36 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-11-25 11:53:41 +0300
commit	8077c98ce4c154d2f4dfcabb775daab4f8a3f421 (patch)
tree	19156d3936ac346827a71db1d37a3c594f15b411 /drivers/video
parent	e6bb4dca56e88a78a344c4a4888992874da3d2a1 (diff)
download	linux-8077c98ce4c154d2f4dfcabb775daab4f8a3f421.tar.xz