All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	linux-fbdev@vger.kernel.org, Min Chong <mchong@google.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Tomi Valkeinen <tomi.valkeinen@ti.com>
Subject: Re: [PATCH] fbdev: color map copying bounds checking
Date: Thu, 19 Jan 2017 12:35:07 -0800	[thread overview]
Message-ID: <CAGXu5jL-ejr1qubsTz3J1Kpw5ypKKpgwv2-kpytHuurJLnnQmg@mail.gmail.com> (raw)
In-Reply-To: <20170105224249.GA50925@beast>

Hi again,

It's been two weeks with no response. This fixes a kernel heap OOB
read. Andrew, can you take this into -mm?

-Kees

On Thu, Jan 5, 2017 at 2:42 PM, Kees Cook <keescook@chromium.org> wrote:
> Copying color maps to userspace doesn't check the value of to->start,
> which will cause kernel heap buffer OOB read due to signedness wraps.
>
> CVE-2016-8405
>
> Reported-by: Peter Pi (@heisecode) of Trend Micro
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
>  1 file changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
> index f89245b8ba8e..68a113594808 100644
> --- a/drivers/video/fbdev/core/fbcmap.c
> +++ b/drivers/video/fbdev/core/fbcmap.c
> @@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
>
>  int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>  {
> -       int tooff = 0, fromoff = 0;
> -       int size;
> +       unsigned int tooff = 0, fromoff = 0;
> +       size_t size;
>
>         if (to->start > from->start)
>                 fromoff = to->start - from->start;
>         else
>                 tooff = from->start - to->start;
> -       size = to->len - tooff;
> -       if (size > (int) (from->len - fromoff))
> -               size = from->len - fromoff;
> -       if (size <= 0)
> +       if (fromoff >= from->len || tooff >= to->len)
> +               return -EINVAL;
> +
> +       size = min_t(size_t, to->len - tooff, from->len - fromoff);
> +       if (size == 0)
>                 return -EINVAL;
>         size *= sizeof(u16);
>
> @@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>
>  int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
>  {
> -       int tooff = 0, fromoff = 0;
> -       int size;
> +       unsigned int tooff = 0, fromoff = 0;
> +       size_t size;
>
>         if (to->start > from->start)
>                 fromoff = to->start - from->start;
>         else
>                 tooff = from->start - to->start;
> -       size = to->len - tooff;
> -       if (size > (int) (from->len - fromoff))
> -               size = from->len - fromoff;
> -       if (size <= 0)
> +       if (fromoff >= from->len || tooff >= to->len)
> +               return -EINVAL;
> +
> +       size = min_t(size_t, to->len - tooff, from->len - fromoff);
> +       if (size == 0)
>                 return -EINVAL;
>         size *= sizeof(u16);
>
> --
> 2.7.4
>
>
> --
> Kees Cook
> Nexus Security



-- 
Kees Cook
Nexus Security

WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	linux-fbdev@vger.kernel.org, Min Chong <mchong@google.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Tomi Valkeinen <tomi.valkeinen@ti.com>
Subject: Re: [PATCH] fbdev: color map copying bounds checking
Date: Thu, 19 Jan 2017 20:35:07 +0000	[thread overview]
Message-ID: <CAGXu5jL-ejr1qubsTz3J1Kpw5ypKKpgwv2-kpytHuurJLnnQmg@mail.gmail.com> (raw)
In-Reply-To: <20170105224249.GA50925@beast>

Hi again,

It's been two weeks with no response. This fixes a kernel heap OOB
read. Andrew, can you take this into -mm?

-Kees

On Thu, Jan 5, 2017 at 2:42 PM, Kees Cook <keescook@chromium.org> wrote:
> Copying color maps to userspace doesn't check the value of to->start,
> which will cause kernel heap buffer OOB read due to signedness wraps.
>
> CVE-2016-8405
>
> Reported-by: Peter Pi (@heisecode) of Trend Micro
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
>  1 file changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
> index f89245b8ba8e..68a113594808 100644
> --- a/drivers/video/fbdev/core/fbcmap.c
> +++ b/drivers/video/fbdev/core/fbcmap.c
> @@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
>
>  int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>  {
> -       int tooff = 0, fromoff = 0;
> -       int size;
> +       unsigned int tooff = 0, fromoff = 0;
> +       size_t size;
>
>         if (to->start > from->start)
>                 fromoff = to->start - from->start;
>         else
>                 tooff = from->start - to->start;
> -       size = to->len - tooff;
> -       if (size > (int) (from->len - fromoff))
> -               size = from->len - fromoff;
> -       if (size <= 0)
> +       if (fromoff >= from->len || tooff >= to->len)
> +               return -EINVAL;
> +
> +       size = min_t(size_t, to->len - tooff, from->len - fromoff);
> +       if (size = 0)
>                 return -EINVAL;
>         size *= sizeof(u16);
>
> @@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>
>  int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
>  {
> -       int tooff = 0, fromoff = 0;
> -       int size;
> +       unsigned int tooff = 0, fromoff = 0;
> +       size_t size;
>
>         if (to->start > from->start)
>                 fromoff = to->start - from->start;
>         else
>                 tooff = from->start - to->start;
> -       size = to->len - tooff;
> -       if (size > (int) (from->len - fromoff))
> -               size = from->len - fromoff;
> -       if (size <= 0)
> +       if (fromoff >= from->len || tooff >= to->len)
> +               return -EINVAL;
> +
> +       size = min_t(size_t, to->len - tooff, from->len - fromoff);
> +       if (size = 0)
>                 return -EINVAL;
>         size *= sizeof(u16);
>
> --
> 2.7.4
>
>
> --
> Kees Cook
> Nexus Security



-- 
Kees Cook
Nexus Security

  reply	other threads:[~2017-01-19 20:35 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-05 22:42 [PATCH] fbdev: color map copying bounds checking Kees Cook
2017-01-05 22:42 ` Kees Cook
2017-01-19 20:35 ` Kees Cook [this message]
2017-01-19 20:35   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jL-ejr1qubsTz3J1Kpw5ypKKpgwv2-kpytHuurJLnnQmg@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-fbdev@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchong@google.com \
    --cc=tomi.valkeinen@ti.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.