vc_screen: sanitize types in vcs_read

* pos is derived from the passed ppos, so make it long enough, i.e.
  loff_t
* attr and uni_mode are booleans, so...
* size is limited by vcs_size() which returns an int
* read, p, orig_count and this_round are always ">= 0" and "< size",
  so uint is enough
* row, col, and max_col are derived from vc->vc_cols (uint) and p, so
  make them uint too
* tmp_count is derived from this_round, so make it an uint too.
* use u16 * for org (instead of unsigned short *). No need to initialize
  org too.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20200818085706.12163-10-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
index 36b967825f68193f3a865a8e3a6e2e3ff023b942..c62c590ed816813da7b744fe53960cb537265d04 100644 (file)
--- a/drivers/tty/vt/vc_screen.c
+++ b/drivers/tty/vt/vc_screen.c
@@ -256,12 +256,12 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
        struct inode *inode = file_inode(file);
        struct vc_data *vc;
        struct vcs_poll_data *poll;
-       long pos, read;
-       int attr, uni_mode, row, col, maxcol;
-       unsigned short *org = NULL;
+       u16 *org;
+       unsigned int read, row, col, maxcol;
        ssize_t ret;
        char *con_buf;
-       bool viewed;
+       loff_t pos;
+       bool viewed, attr, uni_mode;
 
        con_buf = (char *) __get_free_page(GFP_KERNEL);
        if (!con_buf)
@@ -295,9 +295,8 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
        ret = 0;
        while (count) {
                char *con_buf0, *con_buf_start;
-               long this_round, size;
-               ssize_t orig_count;
-               long p = pos;
+               unsigned int this_round, orig_count, p = pos;
+               int size;
 
                /* Check whether we are above size each round,
                 * as copy_to_user at the end of this loop
@@ -362,7 +361,7 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
                        }
                } else {
                        if (p < HEADER_SIZE) {
-                               size_t tmp_count;
+                               unsigned int tmp_count;
 
                                /* clamp header values if they don't fit */
                                con_buf0[0] = min(vc->vc_rows, 0xFFu);