aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2010-11-16 04:11:02 -0500
committerPaul Mundt <lethal@linux-sh.org>2010-11-17 00:55:45 -0500
commit1e7c7804884fc5751e3872f13498fd533325f8b2 (patch)
tree1d9a9ead0d2c7cb18e46cc35878a0d64daaeb545 /include
parentc353103de8795358af1584088aa471571decb307 (diff)
fbcmap: integer overflow bug
There is an integer overflow in fb_set_user_cmap() because cmap->len * 2 can wrap. It's basically harmless. Your terminal will be messed up until you type reset. This patch does three things to fix the bug. First, it checks the return value of fb_copy_cmap() in fb_alloc_cmap(). That is enough to fix address the overflow. Second it checks for the integer overflow in fb_set_user_cmap(). Lastly I wanted to cap "cmap->len" in fb_set_user_cmap() much lower because it gets used to determine the size of allocation. Unfortunately no one knows what the limit should be. Instead what this patch does is makes the allocation happen with GFP_KERNEL instead of GFP_ATOMIC and lets the kmalloc() decide what values of cmap->len are reasonable. To do this, the patch introduces a function called fb_alloc_cmap_gfp() which is like fb_alloc_cmap() except that it takes a GFP flag. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/fb.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/fb.h b/include/linux/fb.h
index 7fca3dc4e475..d1631d37e9e0 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -1122,6 +1122,7 @@ extern const struct fb_videomode *fb_find_best_display(const struct fb_monspecs
1122 1122
1123/* drivers/video/fbcmap.c */ 1123/* drivers/video/fbcmap.c */
1124extern int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp); 1124extern int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp);
1125extern int fb_alloc_cmap_gfp(struct fb_cmap *cmap, int len, int transp, gfp_t flags);
1125extern void fb_dealloc_cmap(struct fb_cmap *cmap); 1126extern void fb_dealloc_cmap(struct fb_cmap *cmap);
1126extern int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to); 1127extern int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to);
1127extern int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to); 1128extern int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to);