[PATCH v1 3/4] staging: atomisp: prevent integer overflow in shading table allocation

Next message: Breno Leitao: "Re: [PATCH net] net: Avoid checksumming unreadable skb tail on trim"
Previous message: Jan Kara: "Re: [PATCH 1/2] ext4: avoid RWM atomic in EXT4_MB_GRP_TEST_AND_SET_READ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Siho Lee

Date: Mon May 25 2026 - 11:29:08 EST

The width * height multiplication in ia_css_shading_table_alloc() can
overflow on 32-bit arithmetic when width and height are large, causing
an undersized kvmalloc() and subsequent out-of-bounds write.

Use array3_size() to prevent the overflow, consistent with the
CVE-2022-50399 fix and the previous commits.

Fixes: 3c4efab94858 ("staging/atomisp: allocate shading table separately")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Siho Lee <25esihoya@xxxxxxxxx>
---
drivers/staging/media/atomisp/pci/sh_css_param_shading.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css_param_shading.c
b/drivers/staging/media/atomisp/pci/sh_css_param_shading.c
index 9105334c7..2a8756f1f 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_param_shading.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_param_shading.c
@@ -339,7 +339,7 @@ ia_css_shading_table_alloc(
me->fraction_bits = 0;
for (i = 0; i < IA_CSS_SC_NUM_COLORS; i++) {
me->data[i] =
- kvmalloc(width * height * sizeof(*me->data[0]),
+ kvmalloc(array3_size(width, height, sizeof(*me->data[0])),
GFP_KERNEL);
if (!me->data[i]) {
unsigned int j;
--
2.43.0