ACK: [CVE-2016-8405][PATCH T/Y] fbdev: color map copying bounds checking

Stefan Bader stefan.bader at canonical.com
Tue Jul 11 15:11:50 UTC 2017 

On 03.07.2017 06:18, Po-Hsu Lin wrote:
> From: Kees Cook <keescook at chromium.org>
> 
> Copying color maps to userspace doesn't check the value of to->start,
> which will cause kernel heap buffer OOB read due to signedness wraps.
> 
> CVE-2016-8405
> 
> Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Kees Cook <keescook at chromium.org>
> Reported-by: Peter Pi (@heisecode) of Trend Micro
> Cc: Min Chong <mchong at google.com>
> Cc: Dan Carpenter <dan.carpenter at oracle.com>
> Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 2dc705a9930b4806250fbf5a76e55266e59389f2)
> 
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>

Acked-by: Stefan Bader <stefan.bader at canonical.com>

> ---
>  drivers/video/fbdev/core/fbcmap.c |   26 ++++++++++++++------------
>  1 file changed, 14 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
> index f89245b..68a1135 100644
> --- a/drivers/video/fbdev/core/fbcmap.c
> +++ b/drivers/video/fbdev/core/fbcmap.c
> @@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
>  
>  int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>  {
> -	int tooff = 0, fromoff = 0;
> -	int size;
> +	unsigned int tooff = 0, fromoff = 0;
> +	size_t size;
>  
>  	if (to->start > from->start)
>  		fromoff = to->start - from->start;
>  	else
>  		tooff = from->start - to->start;
> -	size = to->len - tooff;
> -	if (size > (int) (from->len - fromoff))
> -		size = from->len - fromoff;
> -	if (size <= 0)
> +	if (fromoff >= from->len || tooff >= to->len)
> +		return -EINVAL;
> +
> +	size = min_t(size_t, to->len - tooff, from->len - fromoff);
> +	if (size == 0)
>  		return -EINVAL;
>  	size *= sizeof(u16);
>  
> @@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>  
>  int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
>  {
> -	int tooff = 0, fromoff = 0;
> -	int size;
> +	unsigned int tooff = 0, fromoff = 0;
> +	size_t size;
>  
>  	if (to->start > from->start)
>  		fromoff = to->start - from->start;
>  	else
>  		tooff = from->start - to->start;
> -	size = to->len - tooff;
> -	if (size > (int) (from->len - fromoff))
> -		size = from->len - fromoff;
> -	if (size <= 0)
> +	if (fromoff >= from->len || tooff >= to->len)
> +		return -EINVAL;
> +
> +	size = min_t(size_t, to->len - tooff, from->len - fromoff);
> +	if (size == 0)
>  		return -EINVAL;
>  	size *= sizeof(u16);
>  
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170711/f3551eed/attachment.sig>

More information about the kernel-team mailing list