Skip to content

Commit

Permalink
video: kyro: fix incorrect sizes when copying to userspace
Browse files Browse the repository at this point in the history
kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.

This would copy more data than intended and cause memory corruption and might
leak kernel memory.

Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Tomi Valkeinen <[email protected]>
sashalevin authored and tomba committed Nov 26, 2013

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent c37dd67 commit 2ab68ec
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions drivers/video/kyro/fbdev.c
Original file line number Diff line number Diff line change
@@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info,
return -EINVAL;
}
case KYRO_IOCTL_UVSTRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
return -EFAULT;
break;
case KYRO_IOCTL_STRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
return -EFAULT;
break;
case KYRO_IOCTL_OVERLAY_OFFSET:
if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
return -EFAULT;
break;
}

0 comments on commit 2ab68ec

Please sign in to comment.