Commit 2ab68ec9 authored by Sasha Levin's avatar Sasha Levin Committed by Tomi Valkeinen

video: kyro: fix incorrect sizes when copying to userspace

kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.

This would copy more data than intended and cause memory corruption and might
leak kernel memory.
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
parent c37dd677
...@@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info, ...@@ -624,15 +624,15 @@ static int kyrofb_ioctl(struct fb_info *info,
return -EINVAL; return -EINVAL;
} }
case KYRO_IOCTL_UVSTRIDE: case KYRO_IOCTL_UVSTRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long))) if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
return -EFAULT; return -EFAULT;
break; break;
case KYRO_IOCTL_STRIDE: case KYRO_IOCTL_STRIDE:
if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long))) if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
return -EFAULT; return -EFAULT;
break; break;
case KYRO_IOCTL_OVERLAY_OFFSET: case KYRO_IOCTL_OVERLAY_OFFSET:
if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long))) if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
return -EFAULT; return -EFAULT;
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment