From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Jann Horn <jannh@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
devel@driverdev.osuosl.org, kirk@reisers.ca,
speakup@linux-speakup.org,
kernel list <linux-kernel@vger.kernel.org>,
Samuel Thibault <samuel.thibault@ens-lyon.org>,
Christopher Brannon <chris@the-brannons.com>
Subject: Re: [PATCH] staging: speakup: fix wraparound in uaccess length check
Date: Fri, 13 Jul 2018 10:31:54 +0200 [thread overview]
Message-ID: <20180713083154.GA21160@kroah.com> (raw)
In-Reply-To: <CAG48ez0ZLzh1L8HieUJ+UmbQewRMc_0hwJG7-MB=WR1h=VagZA@mail.gmail.com>
On Thu, Jul 12, 2018 at 04:12:39PM -0700, Jann Horn wrote:
> On Thu, Jul 12, 2018 at 3:47 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > On Fri, Jul 13, 2018 at 12:29:36AM +0200, Jann Horn wrote:
> > > From: Samuel Thibault <samuel.thibault@ens-lyon.org>
> > >
> > > From: Samuel Thibault <samuel.thibault@ens-lyon.org>
> > >
> > > If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing
> > > the loop to copy as much data as available to the provided buffer. If
> > > softsynthx_read() is invoked through sys_splice(), this causes an
> > > unbounded kernel write; but even when userspace just reads from it
> > > normally, a small size could cause userspace crashes.
> >
> > Or you could try this (completely untested, though):
>
> I think this has the same problem as my original buggy patch: At the
> point where you notice that you'd overflow the buffer, you've already
> consumed a character from the synth buffer. You'd have to put it back,
> and since the spinlock protecting it has been dropped, that's a bit
> weird.
>
> Also, I'm not sure whether Greg prefers fixes for stable kernels that
> don't also contain cleanup?
For staging code, I really don't care, as long as it's fixing an issue :)
thanks,
greg k-h
next prev parent reply other threads:[~2018-07-13 8:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-12 22:29 [PATCH] staging: speakup: fix wraparound in uaccess length check Jann Horn
2018-07-12 22:47 ` Al Viro
2018-07-12 23:12 ` Jann Horn
2018-07-13 8:31 ` Greg Kroah-Hartman [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-07-07 1:53 Jann Horn
2018-07-07 8:01 ` Greg Kroah-Hartman
2018-07-07 8:13 ` Samuel Thibault
2018-07-07 8:22 ` Jann Horn
2018-07-07 8:32 ` Samuel Thibault
2018-07-07 8:29 ` Samuel Thibault
2018-07-07 14:03 ` Greg Kroah-Hartman
2018-07-10 20:34 ` Jann Horn
2018-07-11 9:27 ` Greg Kroah-Hartman
2018-07-10 20:34 ` Jann Horn
2018-07-11 9:44 ` Samuel Thibault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180713083154.GA21160@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=chris@the-brannons.com \
--cc=devel@driverdev.osuosl.org \
--cc=jannh@google.com \
--cc=kirk@reisers.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=samuel.thibault@ens-lyon.org \
--cc=speakup@linux-speakup.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).