From: Hyunwoo Kim <imv4bel@gmail.com> mainline inclusion from mainline-v5.19-rc4 commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 category: bugfix bugzilla: 187590, https://gitee.com/src-openeuler/kernel/issues/I5PRMO CVE: CVE-2022-39842 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... --------------------- In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user() may cause a heap overflow because it is used as the third argument of copy_from_user(). Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Zhao Wenhui <zhaowenhui8@huawei.com> Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com> Reviewed-by: Zhang Qiao <zhangqiao22@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> --- drivers/video/fbdev/pxa3xx-gcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c index 9421d14d0eb0..9e9888e40c57 100644 --- a/drivers/video/fbdev/pxa3xx-gcu.c +++ b/drivers/video/fbdev/pxa3xx-gcu.c @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, struct pxa3xx_gcu_batch *buffer; struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); - int words = count / 4; + size_t words = count / 4; /* Does not need to be atomic. There's a lock in user space, * but anyhow, this is just for statistics. */ -- 2.20.1