Skip to content

Commit a905dcf

Browse files
pvts-matpvts-mat
committed
udmabuf: fix a buf size overflow issue during udmabuf creation
jira VULN-67674 cve CVE-2025-37803 commit-author Xiaogang Chen <[email protected]> commit 021ba7f by casting size_limit_mb to u64 when calculate pglimit. Signed-off-by: Xiaogang Chen<[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Christian König <[email protected]> (cherry picked from commit 021ba7f) Signed-off-by: Marcin Wcisło <[email protected]>
1 parent 8a6224a commit a905dcf

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

drivers/dma-buf/udmabuf.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -212,7 +212,7 @@ static long udmabuf_create(struct miscdevice *device,
212212
if (!ubuf)
213213
return -ENOMEM;
214214

215-
pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
215+
pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
216216
for (i = 0; i < head->count; i++) {
217217
if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
218218
goto err;

0 commit comments

Comments
 (0)