[CVE-2016-8405][T/Y SRU] fbdev: color map copying bounds checking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[CVE-2016-8405][T/Y SRU] fbdev: color map copying bounds checking

Po-Hsu Lin (Sam)
This patch can be cherry-picked for both Trusty and Yakkety.
Other release are not affected.

Kees Cook (1):
  fbdev: color map copying bounds checking

 drivers/video/fbdev/core/fbcmap.c |   26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

--
1.7.9.5


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[CVE-2016-8405][PATCH T/Y] fbdev: color map copying bounds checking

Po-Hsu Lin (Sam)
From: Kees Cook <[hidden email]>

Copying color maps to userspace doesn't check the value of to->start,
which will cause kernel heap buffer OOB read due to signedness wraps.

CVE-2016-8405

Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kees Cook <[hidden email]>
Reported-by: Peter Pi (@heisecode) of Trend Micro
Cc: Min Chong <[hidden email]>
Cc: Dan Carpenter <[hidden email]>
Cc: Tomi Valkeinen <[hidden email]>
Cc: Bartlomiej Zolnierkiewicz <[hidden email]>
Cc: <[hidden email]>
Signed-off-by: Andrew Morton <[hidden email]>
Signed-off-by: Linus Torvalds <[hidden email]>
(cherry picked from commit 2dc705a9930b4806250fbf5a76e55266e59389f2)

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 drivers/video/fbdev/core/fbcmap.c |   26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
index f89245b..68a1135 100644
--- a/drivers/video/fbdev/core/fbcmap.c
+++ b/drivers/video/fbdev/core/fbcmap.c
@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
 
 int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
 {
- int tooff = 0, fromoff = 0;
- int size;
+ unsigned int tooff = 0, fromoff = 0;
+ size_t size;
 
  if (to->start > from->start)
  fromoff = to->start - from->start;
  else
  tooff = from->start - to->start;
- size = to->len - tooff;
- if (size > (int) (from->len - fromoff))
- size = from->len - fromoff;
- if (size <= 0)
+ if (fromoff >= from->len || tooff >= to->len)
+ return -EINVAL;
+
+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
+ if (size == 0)
  return -EINVAL;
  size *= sizeof(u16);
 
@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
 
 int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
 {
- int tooff = 0, fromoff = 0;
- int size;
+ unsigned int tooff = 0, fromoff = 0;
+ size_t size;
 
  if (to->start > from->start)
  fromoff = to->start - from->start;
  else
  tooff = from->start - to->start;
- size = to->len - tooff;
- if (size > (int) (from->len - fromoff))
- size = from->len - fromoff;
- if (size <= 0)
+ if (fromoff >= from->len || tooff >= to->len)
+ return -EINVAL;
+
+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
+ if (size == 0)
  return -EINVAL;
  size *= sizeof(u16);
 
--
1.7.9.5


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ACK: [CVE-2016-8405][PATCH T/Y] fbdev: color map copying bounds checking

Stefan Bader-2
On 03.07.2017 06:18, Po-Hsu Lin wrote:

> From: Kees Cook <[hidden email]>
>
> Copying color maps to userspace doesn't check the value of to->start,
> which will cause kernel heap buffer OOB read due to signedness wraps.
>
> CVE-2016-8405
>
> Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Kees Cook <[hidden email]>
> Reported-by: Peter Pi (@heisecode) of Trend Micro
> Cc: Min Chong <[hidden email]>
> Cc: Dan Carpenter <[hidden email]>
> Cc: Tomi Valkeinen <[hidden email]>
> Cc: Bartlomiej Zolnierkiewicz <[hidden email]>
> Cc: <[hidden email]>
> Signed-off-by: Andrew Morton <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit 2dc705a9930b4806250fbf5a76e55266e59389f2)
>
> Signed-off-by: Po-Hsu Lin <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  drivers/video/fbdev/core/fbcmap.c |   26 ++++++++++++++------------
>  1 file changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
> index f89245b..68a1135 100644
> --- a/drivers/video/fbdev/core/fbcmap.c
> +++ b/drivers/video/fbdev/core/fbcmap.c
> @@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
>  
>  int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>  {
> - int tooff = 0, fromoff = 0;
> - int size;
> + unsigned int tooff = 0, fromoff = 0;
> + size_t size;
>  
>   if (to->start > from->start)
>   fromoff = to->start - from->start;
>   else
>   tooff = from->start - to->start;
> - size = to->len - tooff;
> - if (size > (int) (from->len - fromoff))
> - size = from->len - fromoff;
> - if (size <= 0)
> + if (fromoff >= from->len || tooff >= to->len)
> + return -EINVAL;
> +
> + size = min_t(size_t, to->len - tooff, from->len - fromoff);
> + if (size == 0)
>   return -EINVAL;
>   size *= sizeof(u16);
>  
> @@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
>  
>  int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
>  {
> - int tooff = 0, fromoff = 0;
> - int size;
> + unsigned int tooff = 0, fromoff = 0;
> + size_t size;
>  
>   if (to->start > from->start)
>   fromoff = to->start - from->start;
>   else
>   tooff = from->start - to->start;
> - size = to->len - tooff;
> - if (size > (int) (from->len - fromoff))
> - size = from->len - fromoff;
> - if (size <= 0)
> + if (fromoff >= from->len || tooff >= to->len)
> + return -EINVAL;
> +
> + size = min_t(size_t, to->len - tooff, from->len - fromoff);
> + if (size == 0)
>   return -EINVAL;
>   size *= sizeof(u16);
>  
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ACK: [CVE-2016-8405][PATCH T/Y] fbdev: color map copying bounds checking

Seth Forshee
In reply to this post by Po-Hsu Lin (Sam)
On Mon, Jul 03, 2017 at 12:18:51PM +0800, Po-Hsu Lin wrote:

> From: Kees Cook <[hidden email]>
>
> Copying color maps to userspace doesn't check the value of to->start,
> which will cause kernel heap buffer OOB read due to signedness wraps.
>
> CVE-2016-8405
>
> Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Kees Cook <[hidden email]>
> Reported-by: Peter Pi (@heisecode) of Trend Micro
> Cc: Min Chong <[hidden email]>
> Cc: Dan Carpenter <[hidden email]>
> Cc: Tomi Valkeinen <[hidden email]>
> Cc: Bartlomiej Zolnierkiewicz <[hidden email]>
> Cc: <[hidden email]>
> Signed-off-by: Andrew Morton <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit 2dc705a9930b4806250fbf5a76e55266e59389f2)
>
> Signed-off-by: Po-Hsu Lin <[hidden email]>

Acked-by: Seth Forshee <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

APPLIED: [CVE-2016-8405][T/Y SRU] fbdev: color map copying bounds checking

Thadeu Lima de Souza Cascardo-3
In reply to this post by Po-Hsu Lin (Sam)
Applied to trusty and yakkety master-next branches.

Had to use 3-way merge for trusty, as the file has been moved.

Thanks.
Cascardo.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Loading...