From 36c39220129e4048b6810dc732b49b4f23f2dcee Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Tue, 18 Aug 2020 10:57:00 +0200 Subject: [PATCH] vc_screen: sanitize types in vcs_read * pos is derived from the passed ppos, so make it long enough, i.e. loff_t * attr and uni_mode are booleans, so... * size is limited by vcs_size() which returns an int * read, p, orig_count and this_round are always ">= 0" and "< size", so uint is enough * row, col, and max_col are derived from vc->vc_cols (uint) and p, so make them uint too * tmp_count is derived from this_round, so make it an uint too. * use u16 * for org (instead of unsigned short *). No need to initialize org too. Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20200818085706.12163-10-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/vc_screen.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c index 36b9678..c62c590 100644 --- a/drivers/tty/vt/vc_screen.c +++ b/drivers/tty/vt/vc_screen.c @@ -256,12 +256,12 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) struct inode *inode = file_inode(file); struct vc_data *vc; struct vcs_poll_data *poll; - long pos, read; - int attr, uni_mode, row, col, maxcol; - unsigned short *org = NULL; + u16 *org; + unsigned int read, row, col, maxcol; ssize_t ret; char *con_buf; - bool viewed; + loff_t pos; + bool viewed, attr, uni_mode; con_buf = (char *) __get_free_page(GFP_KERNEL); if (!con_buf) @@ -295,9 +295,8 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) ret = 0; while (count) { char *con_buf0, *con_buf_start; - long this_round, size; - ssize_t orig_count; - long p = pos; + unsigned int this_round, orig_count, p = pos; + int size; /* Check whether we are above size each round, * as copy_to_user at the end of this loop @@ -362,7 +361,7 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) } } else { if (p < HEADER_SIZE) { - size_t tmp_count; + unsigned int tmp_count; /* clamp header values if they don't fit */ con_buf0[0] = min(vc->vc_rows, 0xFFu); -- 2.7.4