提交 2ab68ec9 编写于 作者: S Sasha Levin 提交者: Tomi Valkeinen

video: kyro: fix incorrect sizes when copying to userspace

kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.

This would copy more data than intended and cause memory corruption and might
leak kernel memory.
Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
Signed-off-by: NTomi Valkeinen <tomi.valkeinen@ti.com>
上级 c37dd677
......@@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info,
return -EINVAL;
}
case KYRO_IOCTL_UVSTRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
return -EFAULT;
break;
case KYRO_IOCTL_STRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
return -EFAULT;
break;
case KYRO_IOCTL_OVERLAY_OFFSET:
if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
return -EFAULT;
break;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册