| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Sep 2017 22:38:28 +0100
From: Colin King <colin.king@...onical.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>, Ingo Molnar <mingo@...nel.org>
Cc: kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] tty: vt: keyboard: add range check to kbs->kb_func index
From: Colin Ian King <colin.king@...onical.com>
A value outside the range 0..MAX_NR_FUNC-1 in kbs->kb_func will
cause an array bounds overflow on func_table. Fix this by adding
a range check.
Detected by CoverityScan, CID#401961 ("Untrusted array index read")
Fixes: 079c9534a96d ("vt:tackle kbd_table")
Signed-off-by: Colin Ian King <colin.king@...onical.com>
---
drivers/tty/vt/keyboard.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index f4166263bb3a..1ecf545a96a8 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1982,6 +1982,11 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
i = kbs->kb_func;
+ if (i < 0 || i >= MAX_NR_FUNC) {
+ ret = -EINVAL;
+ goto reterr;
+ }
+
switch (cmd) {
case KDGKBSENT:
sz = sizeof(kbs->kb_string) - 1; /* sz should have been
--
2.14.1
Powered by blists - more mailing lists