Skip to content

Commit 81beffc

Browse files
pvts-matpvts-mat
committed
udmabuf: fix a buf size overflow issue during udmabuf creation
jira VULN-67673 cve CVE-2025-37803 commit-author Xiaogang Chen <[email protected]> commit 021ba7f by casting size_limit_mb to u64 when calculate pglimit. Signed-off-by: Xiaogang Chen<[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Christian König <[email protected]> (cherry picked from commit 021ba7f) Signed-off-by: Marcin Wcisło <[email protected]>
1 parent 759deb2 commit 81beffc

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

drivers/dma-buf/udmabuf.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,7 @@ static long udmabuf_create(struct miscdevice *device,
186186
if (!ubuf)
187187
return -ENOMEM;
188188

189-
pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
189+
pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
190190
for (i = 0; i < head->count; i++) {
191191
if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
192192
goto err;

0 commit comments

Comments
 (0)