[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160301203338.360a3487@www.etchedpixels.co.uk>
Date: Tue, 1 Mar 2016 20:33:38 +0000
From: Alan Cox <alan@...rguk.ukuu.org.uk>
To: linux-kernel@...r.kernel.org, gwendal@...omium.org,
javier.martinez@...labora.co.uk
Subject: Security hole in cros_ec_dev.c on 32bit chrome hosts
This was reported to Google on Feb 2nd with no action but an
acknowledgement.
Making public since so as we are close to release
/* Ioctls */
static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
{
long ret;
struct cros_ec_command u_cmd;
struct cros_ec_command *s_cmd;
if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
return -EFAULT;
s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
GFP_KERNEL);
Pass u_cmd.insize as a very large value so that it overflows with the
sizeof to a small number which we kmalloc
if (!s_cmd)
return -ENOMEM;
and copy u_cmd.outsize bytes into it.
if (copy_from_user(s_cmd, arg, sizeof(*s_cmd) + u_cmd.outsize)) {
ret = -EFAULT;
goto exit;
}
Alan
Powered by blists - more mailing lists