* [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
@ 2018-09-12 7:30 ` Tomi Valkeinen
0 siblings, 0 replies; 7+ messages in thread
From: Tomi Valkeinen @ 2018-09-12 7:30 UTC (permalink / raw)
To: linux-fbdev, Bartlomiej Zolnierkiewicz
Cc: Tomi Valkeinen, stable, security, Will Deacon, Jann Horn, Tony Lindgren
OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:
- The user provided width and height could be large enough to overflow
the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
which might contain sensitive kernel information.
Fix these by limiting the width & height parameters, and only copying
the amount of data that we actually received from the LCD.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Tony Lindgren <tony@atomide.com>
---
drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
index ef69273074ba..a3edb20ea4c3 100644
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
return -EFAULT;
+ if (mr->w > 4096 || mr->h > 4096)
+ return -EINVAL;
+
if (mr->w * mr->h * 3 > mr->buffer_size)
return -EINVAL;
@@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
mr->x, mr->y, mr->w, mr->h);
if (r > 0) {
- if (copy_to_user(mr->buffer, buf, mr->buffer_size))
+ if (copy_to_user(mr->buffer, buf, r))
r = -EFAULT;
}
--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
@ 2018-09-12 7:30 ` Tomi Valkeinen
0 siblings, 0 replies; 7+ messages in thread
From: Tomi Valkeinen @ 2018-09-12 7:30 UTC (permalink / raw)
To: linux-fbdev, Bartlomiej Zolnierkiewicz
Cc: Tomi Valkeinen, stable, security, Will Deacon, Jann Horn, Tony Lindgren
OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:
- The user provided width and height could be large enough to overflow
the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
which might contain sensitive kernel information.
Fix these by limiting the width & height parameters, and only copying
the amount of data that we actually received from the LCD.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Tony Lindgren <tony@atomide.com>
---
drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
index ef69273074ba..a3edb20ea4c3 100644
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
return -EFAULT;
+ if (mr->w > 4096 || mr->h > 4096)
+ return -EINVAL;
+
if (mr->w * mr->h * 3 > mr->buffer_size)
return -EINVAL;
@@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
mr->x, mr->y, mr->w, mr->h);
if (r > 0) {
- if (copy_to_user(mr->buffer, buf, mr->buffer_size))
+ if (copy_to_user(mr->buffer, buf, r))
r = -EFAULT;
}
--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
2018-09-12 7:30 ` Tomi Valkeinen
@ 2018-09-12 17:32 ` Kees Cook
-1 siblings, 0 replies; 7+ messages in thread
From: Kees Cook @ 2018-09-12 17:32 UTC (permalink / raw)
To: Tomi Valkeinen
Cc: linux-fbdev, Bartlomiej Zolnierkiewicz, # 3.4.x,
Security Officers, Will Deacon, Jann Horn, Tony Lindgren
On Wed, Sep 12, 2018 at 12:30 AM, Tomi Valkeinen <tomi.valkeinen@ti.com> wrote:
> OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
> them to a userspace buffer. The code has two issues:
>
> - The user provided width and height could be large enough to overflow
> the calculations
> - The copy_to_user() can copy uninitialized memory to the userspace,
> which might contain sensitive kernel information.
>
> Fix these by limiting the width & height parameters, and only copying
> the amount of data that we actually received from the LCD.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reported-by: Jann Horn <jannh@google.com>
> Cc: stable@vger.kernel.org
> Cc: security@kernel.org
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Jann Horn <jannh@google.com>
> Cc: Tony Lindgren <tony@atomide.com>
> ---
> drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> index ef69273074ba..a3edb20ea4c3 100644
> --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
> if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
> return -EFAULT;
>
> + if (mr->w > 4096 || mr->h > 4096)
> + return -EINVAL;
> +
> if (mr->w * mr->h * 3 > mr->buffer_size)
> return -EINVAL;
alternatively, replace the above two tests with:
alloc_size = array3_size(mr->w, mr->h, 3);
if (alloc_size > mr->buffer_size)
return -EINVAL;
buf = vmalloc(alloc_size);
...
>
> @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
> mr->x, mr->y, mr->w, mr->h);
>
> if (r > 0) {
> - if (copy_to_user(mr->buffer, buf, mr->buffer_size))
> + if (copy_to_user(mr->buffer, buf, r))
But yes, this seems correct regardless: userspace was being
overwritten beyond "r", potentially.
-Kees
> r = -EFAULT;
> }
>
> --
> Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
> Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
>
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
@ 2018-09-12 17:32 ` Kees Cook
0 siblings, 0 replies; 7+ messages in thread
From: Kees Cook @ 2018-09-12 17:32 UTC (permalink / raw)
To: Tomi Valkeinen
Cc: linux-fbdev, Bartlomiej Zolnierkiewicz, # 3.4.x,
Security Officers, Will Deacon, Jann Horn, Tony Lindgren
On Wed, Sep 12, 2018 at 12:30 AM, Tomi Valkeinen <tomi.valkeinen@ti.com> wrote:
> OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
> them to a userspace buffer. The code has two issues:
>
> - The user provided width and height could be large enough to overflow
> the calculations
> - The copy_to_user() can copy uninitialized memory to the userspace,
> which might contain sensitive kernel information.
>
> Fix these by limiting the width & height parameters, and only copying
> the amount of data that we actually received from the LCD.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reported-by: Jann Horn <jannh@google.com>
> Cc: stable@vger.kernel.org
> Cc: security@kernel.org
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Jann Horn <jannh@google.com>
> Cc: Tony Lindgren <tony@atomide.com>
> ---
> drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> index ef69273074ba..a3edb20ea4c3 100644
> --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
> if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
> return -EFAULT;
>
> + if (mr->w > 4096 || mr->h > 4096)
> + return -EINVAL;
> +
> if (mr->w * mr->h * 3 > mr->buffer_size)
> return -EINVAL;
alternatively, replace the above two tests with:
alloc_size = array3_size(mr->w, mr->h, 3);
if (alloc_size > mr->buffer_size)
return -EINVAL;
buf = vmalloc(alloc_size);
...
>
> @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
> mr->x, mr->y, mr->w, mr->h);
>
> if (r > 0) {
> - if (copy_to_user(mr->buffer, buf, mr->buffer_size))
> + if (copy_to_user(mr->buffer, buf, r))
But yes, this seems correct regardless: userspace was being
overwritten beyond "r", potentially.
-Kees
> r = -EFAULT;
> }
>
> --
> Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
> Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
>
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
2018-09-12 7:30 ` Tomi Valkeinen
(?)
@ 2018-09-26 15:45 ` Bartlomiej Zolnierkiewicz
-1 siblings, 0 replies; 7+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2018-09-26 15:45 UTC (permalink / raw)
To: Tomi Valkeinen
Cc: linux-fbdev, dri-devel, stable, security, Will Deacon, Jann Horn,
Tony Lindgren
[ added dri-devel@lists.freedesktop.org to Cc: ]
On 09/12/2018 09:30 AM, Tomi Valkeinen wrote:
> OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
> them to a userspace buffer. The code has two issues:
>
> - The user provided width and height could be large enough to overflow
> the calculations
> - The copy_to_user() can copy uninitialized memory to the userspace,
> which might contain sensitive kernel information.
>
> Fix these by limiting the width & height parameters, and only copying
> the amount of data that we actually received from the LCD.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reported-by: Jann Horn <jannh@google.com>
> Cc: stable@vger.kernel.org
> Cc: security@kernel.org
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Jann Horn <jannh@google.com>
> Cc: Tony Lindgren <tony@atomide.com>
Patch queued for 4.19, thanks.
> ---
> drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> index ef69273074ba..a3edb20ea4c3 100644
> --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
> if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
> return -EFAULT;
>
> + if (mr->w > 4096 || mr->h > 4096)
> + return -EINVAL;
> +
> if (mr->w * mr->h * 3 > mr->buffer_size)
> return -EINVAL;
>
> @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
> mr->x, mr->y, mr->w, mr->h);
>
> if (r > 0) {
> - if (copy_to_user(mr->buffer, buf, mr->buffer_size))
> + if (copy_to_user(mr->buffer, buf, r))
> r = -EFAULT;
> }
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
@ 2018-09-26 15:45 ` Bartlomiej Zolnierkiewicz
0 siblings, 0 replies; 7+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2018-09-26 15:45 UTC (permalink / raw)
To: Tomi Valkeinen
Cc: linux-fbdev, dri-devel, stable, security, Will Deacon, Jann Horn,
Tony Lindgren
[ added dri-devel@lists.freedesktop.org to Cc: ]
On 09/12/2018 09:30 AM, Tomi Valkeinen wrote:
> OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
> them to a userspace buffer. The code has two issues:
>
> - The user provided width and height could be large enough to overflow
> the calculations
> - The copy_to_user() can copy uninitialized memory to the userspace,
> which might contain sensitive kernel information.
>
> Fix these by limiting the width & height parameters, and only copying
> the amount of data that we actually received from the LCD.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reported-by: Jann Horn <jannh@google.com>
> Cc: stable@vger.kernel.org
> Cc: security@kernel.org
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Jann Horn <jannh@google.com>
> Cc: Tony Lindgren <tony@atomide.com>
Patch queued for 4.19, thanks.
> ---
> drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> index ef69273074ba..a3edb20ea4c3 100644
> --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
> if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
> return -EFAULT;
>
> + if (mr->w > 4096 || mr->h > 4096)
> + return -EINVAL;
> +
> if (mr->w * mr->h * 3 > mr->buffer_size)
> return -EINVAL;
>
> @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
> mr->x, mr->y, mr->w, mr->h);
>
> if (r > 0) {
> - if (copy_to_user(mr->buffer, buf, mr->buffer_size))
> + if (copy_to_user(mr->buffer, buf, r))
> r = -EFAULT;
> }
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
@ 2018-09-26 15:45 ` Bartlomiej Zolnierkiewicz
0 siblings, 0 replies; 7+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2018-09-26 15:45 UTC (permalink / raw)
To: Tomi Valkeinen
Cc: linux-fbdev, dri-devel, stable, security, Will Deacon, Jann Horn,
Tony Lindgren
[ added dri-devel@lists.freedesktop.org to Cc: ]
On 09/12/2018 09:30 AM, Tomi Valkeinen wrote:
> OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
> them to a userspace buffer. The code has two issues:
>
> - The user provided width and height could be large enough to overflow
> the calculations
> - The copy_to_user() can copy uninitialized memory to the userspace,
> which might contain sensitive kernel information.
>
> Fix these by limiting the width & height parameters, and only copying
> the amount of data that we actually received from the LCD.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reported-by: Jann Horn <jannh@google.com>
> Cc: stable@vger.kernel.org
> Cc: security@kernel.org
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Jann Horn <jannh@google.com>
> Cc: Tony Lindgren <tony@atomide.com>
Patch queued for 4.19, thanks.
> ---
> drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> index ef69273074ba..a3edb20ea4c3 100644
> --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
> @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
> if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
> return -EFAULT;
>
> + if (mr->w > 4096 || mr->h > 4096)
> + return -EINVAL;
> +
> if (mr->w * mr->h * 3 > mr->buffer_size)
> return -EINVAL;
>
> @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
> mr->x, mr->y, mr->w, mr->h);
>
> if (r > 0) {
> - if (copy_to_user(mr->buffer, buf, mr->buffer_size))
> + if (copy_to_user(mr->buffer, buf, r))
> r = -EFAULT;
> }
Best regards,
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-09-26 21:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CGME20180912073137epcas5p36de373cd9715ad2a2b60c5206c08e5cf@epcas5p3.samsung.com>
2018-09-12 7:30 ` [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak Tomi Valkeinen
2018-09-12 7:30 ` Tomi Valkeinen
2018-09-12 17:32 ` Kees Cook
2018-09-12 17:32 ` Kees Cook
2018-09-26 15:45 ` Bartlomiej Zolnierkiewicz
2018-09-26 15:45 ` Bartlomiej Zolnierkiewicz
2018-09-26 15:45 ` Bartlomiej Zolnierkiewicz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.