Commit 6fa8c5d6 authored by Sasha Levin's avatar Sasha Levin Committed by Greg Kroah-Hartman

video: kyro: fix incorrect sizes when copying to userspace

commit 2ab68ec9 upstream.

kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.

This would copy more data than intended and cause memory corruption and might
leak kernel memory.
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b79811fc
...@@ -625,15 +625,15 @@ static int kyrofb_ioctl(struct fb_info *info, ...@@ -625,15 +625,15 @@ static int kyrofb_ioctl(struct fb_info *info,
} }
break; break;
case KYRO_IOCTL_UVSTRIDE: case KYRO_IOCTL_UVSTRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long))) if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
return -EFAULT; return -EFAULT;
break; break;
case KYRO_IOCTL_STRIDE: case KYRO_IOCTL_STRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long))) if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
return -EFAULT; return -EFAULT;
break; break;
case KYRO_IOCTL_OVERLAY_OFFSET: case KYRO_IOCTL_OVERLAY_OFFSET:
if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long))) if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
return -EFAULT; return -EFAULT;
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment