From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH 4.19 50/73] staging: vc04_services: prevent integer overflow in create_pagelist()
Date: Fri, 7 Jun 2019 17:39:37 +0200 [thread overview]
Message-ID: <20190607153854.691840870@linuxfoundation.org> (raw)
In-Reply-To: <20190607153848.669070800@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
commit ca641bae6da977d638458e78cd1487b6160a2718 upstream.
The create_pagelist() "count" parameter comes from the user in
vchiq_ioctl() and it could overflow. If you look at how create_page()
is called in vchiq_prepare_bulk_data(), then the "size" variable is an
int so it doesn't make sense to allow negatives or larger than INT_MAX.
I don't know this code terribly well, but I believe that typical values
of "count" are typically quite low and I don't think this check will
affect normal valid uses at all.
The "pagelist_size" calculation can also overflow on 32 bit systems, but
not on 64 bit systems. I have added an integer overflow check for that
as well.
The Raspberry PI doesn't offer the same level of memory protection that
x86 does so these sorts of bugs are probably not super critical to fix.
Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
@@ -410,9 +410,18 @@ create_pagelist(char __user *buf, size_t
int dma_buffers;
dma_addr_t dma_addr;
+ if (count >= INT_MAX - PAGE_SIZE)
+ return NULL;
+
offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1));
num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE);
+ if (num_pages > (SIZE_MAX - sizeof(PAGELIST_T) -
+ sizeof(struct vchiq_pagelist_info)) /
+ (sizeof(u32) + sizeof(pages[0]) +
+ sizeof(struct scatterlist)))
+ return NULL;
+
pagelist_size = sizeof(PAGELIST_T) +
(num_pages * sizeof(u32)) +
(num_pages * sizeof(pages[0]) +
next prev parent reply other threads:[~2019-06-07 15:45 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-07 15:38 [PATCH 4.19 00/73] 4.19.49-stable review Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 01/73] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 02/73] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 03/73] xhci: update bounce buffer with correct sg num Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 04/73] xhci: Use %zu for printing size_t type Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 05/73] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 06/73] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 07/73] usbip: usbip_host: fix BUG: sleeping function called from invalid context Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 08/73] usbip: usbip_host: fix stub_dev lock context imbalance regression Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 09/73] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 10/73] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 11/73] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
2019-06-07 15:38 ` [PATCH 4.19 12/73] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 13/73] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 14/73] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 15/73] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 16/73] media: smsusb: better handle optional alignment Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 17/73] brcmfmac: fix NULL pointer derefence during USB disconnect Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 18/73] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 19/73] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 20/73] tracing: Avoid memory leak in predicate_parse() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 21/73] Btrfs: fix wrong ctime and mtime of a directory after log replay Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 22/73] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 23/73] Btrfs: fix fsync not persisting changed attributes of a directory Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 24/73] Btrfs: incremental send, fix file corruption when no-holes feature is enabled Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 25/73] iio: dac: ds4422/ds4424 fix chip verification Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 26/73] iio: adc: ti-ads8688: fix timestamp is not updated in buffer Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 27/73] s390/crypto: fix gcm-aes-s390 selftest failures Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 28/73] s390/crypto: fix possible sleep during spinlock aquired Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 29/73] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of passthrough interrupts Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 30/73] powerpc/perf: Fix MMCRA corruption by bhrb_filter Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 31/73] ALSA: line6: Assure canceling delayed work at disconnection Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 32/73] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 33/73] ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 34/73] KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 35/73] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 36/73] i2c: mlxcpld: Fix wrong initialization order in probe Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 37/73] i2c: synquacer: fix synquacer_i2c_doxfer() return value Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 38/73] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 39/73] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 40/73] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 41/73] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 42/73] arm64: Fix the arm64_personality() syscall wrapper redirection Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 43/73] docs: Fix conf.py for Sphinx 2.0 Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 44/73] doc: Cope with the deprecation of AutoReporter Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 45/73] doc: Cope with Sphinx logging deprecations Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 46/73] ima: show rules with IMA_INMASK correctly Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 47/73] evm: check hash algorithm passed to init_desc() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 48/73] vt/fbcon: deinitialize resources in visual_init() after failed memory allocation Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 49/73] serial: sh-sci: disable DMA for uart_console Greg Kroah-Hartman
2019-06-07 15:39 ` Greg Kroah-Hartman [this message]
2019-06-07 15:39 ` [PATCH 4.19 51/73] staging: wlan-ng: fix adapter initialization failure Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 52/73] cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 53/73] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 54/73] Revert "lockd: Show pid of lockd for remote locks" Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 55/73] gcc-plugins: Fix build failures under Darwin host Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 56/73] drm/tegra: gem: Fix CPU-cache maintenance for BOs allocated using get_pages() Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 57/73] drm/vmwgfx: Dont send drm sysfs hotplug events on initial master set Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 58/73] drm/sun4i: Fix sun8i HDMI PHY clock initialization Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 59/73] drm/sun4i: Fix sun8i HDMI PHY configuration for > 148.5 MHz Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 60/73] drm/rockchip: shutdown drm subsystem on shutdown Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 61/73] drm/lease: Make sure implicit planes are leased Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 62/73] Compiler Attributes: add support for __copy (gcc >= 9) Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 63/73] include/linux/module.h: copy __init/__exit attrs to init/cleanup_module Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 64/73] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 65/73] Revert "binder: fix handling of misaligned binder object" Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 66/73] binder: fix race between munmap() and direct reclaim Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 67/73] x86/ftrace: Do not call function graph from dynamic trampolines Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 68/73] x86/ftrace: Set trampoline pages as executable Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 69/73] x86/kprobes: Set instruction page " Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 70/73] scsi: lpfc: Fix backport of faf5a744f4f8 ("scsi: lpfc: avoid uninitialized variable warning") Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 71/73] of: overlay: validate overlay properties #address-cells and #size-cells Greg Kroah-Hartman
2019-06-07 15:39 ` [PATCH 4.19 72/73] of: overlay: set node fields from properties when add new overlay node Greg Kroah-Hartman
2019-06-07 15:40 ` [PATCH 4.19 73/73] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Greg Kroah-Hartman
2019-06-07 19:29 ` [PATCH 4.19 00/73] 4.19.49-stable review kernelci.org bot
2019-06-08 7:53 ` Naresh Kamboju
2019-06-08 18:49 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190607153854.691840870@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).