ACK: [CVE-2017-100363][PATCHv2 T/Y/Z] char: lp: fix possible integer overflow in lp_setup()

[Colin Ian King]

On 07/06/17 10:05, Po-Hsu Lin wrote:
> From: Willy Tarreau <w at 1wt.eu>
> 
> CVE-2017-100363
> 
> The lp_setup() code doesn't apply any bounds checking when passing
> "lp=none", and only in this case, resulting in an overflow of the
> parport_nr[] array. All versions in Git history are affected.
> 
> Reported-By: Roee Hay <roee.hay at hcl.com>
> Cc: Ben Hutchings <ben at decadent.org.uk>
> Cc: stable at vger.kernel.org
> Signed-off-by: Willy Tarreau <w at 1wt.eu>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit 3e21f4af170bebf47c187c1ff8bf155583c9f3b1)
> 
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
>  drivers/char/lp.c |    6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/lp.c b/drivers/char/lp.c
> index 0913d79..6b61910 100644
> --- a/drivers/char/lp.c
> +++ b/drivers/char/lp.c
> @@ -857,7 +857,11 @@ static int __init lp_setup (char *str)
>  	} else if (!strcmp(str, "auto")) {
>  		parport_nr[0] = LP_PARPORT_AUTO;
>  	} else if (!strcmp(str, "none")) {
> -		parport_nr[parport_ptr++] = LP_PARPORT_NONE;
> +		if (parport_ptr < LP_NO)
> +			parport_nr[parport_ptr++] = LP_PARPORT_NONE;
> +		else
> +			printk(KERN_INFO "lp: too many ports, %s ignored.\n",
> +			       str);
>  	} else if (!strcmp(str, "reset")) {
>  		reset = 1;
>  	}
> 

Looks good to me.

Acked-by: Colin Ian King <colin.king at canonical.com>