From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E5E5C04AAF for ; Mon, 20 May 2019 07:26:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 23F2520856 for ; Mon, 20 May 2019 07:26:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558337214; bh=VsPiXaQ+14kQCokzvFUVfRaXXQwDBGl7ZFMDCA9v+do=; h=Subject:To:From:Date:List-ID:From; b=NHioAWkj+0NiL2HPiyzaK4is6VfFNLFeZONF3svoL7Nw75iWUapdO9Ky1E6JM5REM foLYW+6+GJdoVhvFzbt93vsSQ4QCwaIeu52GIWqyY7R7NPp9f33TfhV0bXzPf7cp1z 5rdtMkL9l/b/DKcE2ZdB1RbRCptq+QwYk899Drc4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727102AbfETH0x (ORCPT ); Mon, 20 May 2019 03:26:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:51438 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725983AbfETH0x (ORCPT ); Mon, 20 May 2019 03:26:53 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B579F20851; Mon, 20 May 2019 07:26:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558337213; bh=VsPiXaQ+14kQCokzvFUVfRaXXQwDBGl7ZFMDCA9v+do=; h=Subject:To:From:Date:From; b=MitPXHF/2c/g4YQpjKqdigs9Nsl15J2FMjHv0oAgrGnr3vfRnLyH9vXJpG3lnphU1 zIkn5pHLPv2o93WpBKp68FP6b7kXCHJxDITfr/dYs41s9c2AfpVdnOC6uhusRFymP4 DPCm8cQA0zwa7YOJPVxzKHvWVhs3Dy0hukPzBfq8= Subject: patch "staging: vc04_services: prevent integer overflow in create_pagelist()" added to staging-linus To: dan.carpenter@oracle.com, gregkh@linuxfoundation.org, stable@vger.kernel.org From: Date: Mon, 20 May 2019 09:26:38 +0200 Message-ID: <15583371981297@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org This is a note to let you know that I've just added the patch titled staging: vc04_services: prevent integer overflow in create_pagelist() to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From ca641bae6da977d638458e78cd1487b6160a2718 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 15 May 2019 12:38:33 +0300 Subject: staging: vc04_services: prevent integer overflow in create_pagelist() The create_pagelist() "count" parameter comes from the user in vchiq_ioctl() and it could overflow. If you look at how create_page() is called in vchiq_prepare_bulk_data(), then the "size" variable is an int so it doesn't make sense to allow negatives or larger than INT_MAX. I don't know this code terribly well, but I believe that typical values of "count" are typically quite low and I don't think this check will affect normal valid uses at all. The "pagelist_size" calculation can also overflow on 32 bit systems, but not on 64 bit systems. I have added an integer overflow check for that as well. The Raspberry PI doesn't offer the same level of memory protection that x86 does so these sorts of bugs are probably not super critical to fix. Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") Signed-off-by: Dan Carpenter Cc: stable Signed-off-by: Greg Kroah-Hartman --- .../vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c index a9a22917ecdb..c557c9953724 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c @@ -368,9 +368,18 @@ create_pagelist(char __user *buf, size_t count, unsigned short type) int dma_buffers; dma_addr_t dma_addr; + if (count >= INT_MAX - PAGE_SIZE) + return NULL; + offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1)); num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE); + if (num_pages > (SIZE_MAX - sizeof(struct pagelist) - + sizeof(struct vchiq_pagelist_info)) / + (sizeof(u32) + sizeof(pages[0]) + + sizeof(struct scatterlist))) + return NULL; + pagelist_size = sizeof(struct pagelist) + (num_pages * sizeof(u32)) + (num_pages * sizeof(pages[0]) + -- 2.21.0