| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 Dec 2016 19:56:26 -0500 (EST)
From: Finn Thain <fthain@...egraphics.com.au>
To: Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Michael Ellerman <mpe@...erman.id.au>,
Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: linux-m68k@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-kernel@...r.kernel.org
Subject: [PATCH RESEND 04/10] via-cuda: Prevent read buffer overflow
If the Cuda driver does not enter the 'read_done' state for some
reason, it may continue in the 'reading' state until the buffer
overflows. Add a bounds check to prevent this.
Tested-by: Stan Johnson <userm57@...oo.com>
Signed-off-by: Finn Thain <fthain@...egraphics.com.au>
---
drivers/macintosh/via-cuda.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/macintosh/via-cuda.c b/drivers/macintosh/via-cuda.c
index 64a04af..1cf1467 100644
--- a/drivers/macintosh/via-cuda.c
+++ b/drivers/macintosh/via-cuda.c
@@ -470,6 +470,8 @@ cuda_poll(void)
}
EXPORT_SYMBOL(cuda_poll);
+#define ARRAY_FULL(a, p) ((p) - (a) == ARRAY_SIZE(a))
+
static irqreturn_t
cuda_interrupt(int irq, void *arg)
{
@@ -558,7 +560,11 @@ cuda_interrupt(int irq, void *arg)
break;
case reading:
- *reply_ptr++ = in_8(&via[SR]);
+ if (reading_reply ? ARRAY_FULL(current_req->reply, reply_ptr)
+ : ARRAY_FULL(cuda_rbuf, reply_ptr))
+ (void)in_8(&via[SR]);
+ else
+ *reply_ptr++ = in_8(&via[SR]);
if (!TREQ_asserted(status)) {
/* that's all folks */
negate_TIP_and_TACK();
--
2.10.2
Powered by blists - more mailing lists