Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 1e7c7804884fc5751e3872f13498fd533325f8b2
commit1e7c7804884fc5751e3872f13498fd533325f8b2[log] [tgz]
authorDan Carpenter <error27@gmail.com>Tue Nov 16 12:11:02 2010 +0300
committerPaul Mundt <lethal@linux-sh.org>Wed Nov 17 14:55:45 2010 +0900
tree1d9a9ead0d2c7cb18e46cc35878a0d64daaeb545
parentc353103de8795358af1584088aa471571decb307 [diff]
fbcmap: integer overflow bug

There is an integer overflow in fb_set_user_cmap() because cmap->len * 2
can wrap.  It's basically harmless.  Your terminal will be messed up
until you type reset.

This patch does three things to fix the bug.

First, it checks the return value of fb_copy_cmap() in fb_alloc_cmap().
That is enough to fix address the overflow.

Second it checks for the integer overflow in fb_set_user_cmap().

Lastly I wanted to cap "cmap->len" in fb_set_user_cmap() much lower
because it gets used to determine the size of allocation.  Unfortunately
no one knows what the limit should be.  Instead what this patch does
is makes the allocation happen with GFP_KERNEL instead of GFP_ATOMIC
and lets the kmalloc() decide what values of cmap->len are reasonable.
To do this, the patch introduces a function called fb_alloc_cmap_gfp()
which is like fb_alloc_cmap() except that it takes a GFP flag.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
2 files changed
tree: 1d9a9ead0d2c7cb18e46cc35878a0d64daaeb545
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS