[PATCH 1/2] staging: vc04_services: vc-sm-cma: fix integer overflow in vc_sm_cma_clean_invalid2()
Greg Kroah-Hartman
gregkh at linuxfoundation.org
Sat Mar 28 23:33:37 PDT 2026
On Sun, Mar 29, 2026 at 12:18:45AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84 at gmail.com>
>
> vc_sm_cma_clean_invalid2() uses 'ioparam.op_count * sizeof(*block)' to
> compute the allocation size passed to kmalloc(). Since ioparam.op_count
> is a __u32 supplied directly by userspace via ioctl, an attacker can
> choose a value that causes the multiplication to overflow on 32-bit
> platforms, resulting in a small allocation followed by a large
> copy_from_user() and out-of-bounds heap reads in the subsequent loop.
>
> Replace kmalloc() with kmalloc_array(), which returns NULL on overflow.
> Also add an early return for op_count == 0 to avoid a zero-size
> allocation, and return -ENOMEM (not -EFAULT) on allocation failure to
> correctly indicate out of memory.
Why not use kmalloc_array() instead?
>
> The /dev/vc-sm-cma device is world-accessible (mode 0666), so this is
> reachable by any unprivileged local user.
>
> Fixes: dfdc7a773374 ("staging: vc04_services: Add new vc-sm-cma driver")
I do not see that git id anywhere, what tree is it in?
thanks,
greg k-h
More information about the linux-rpi-kernel
mailing list