lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160301203338.360a3487@www.etchedpixels.co.uk>
Date:	Tue, 1 Mar 2016 20:33:38 +0000
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	linux-kernel@...r.kernel.org, gwendal@...omium.org,
	javier.martinez@...labora.co.uk
Subject: Security hole in cros_ec_dev.c on 32bit chrome hosts

This was reported to Google on Feb 2nd with no action but an
acknowledgement.

Making public since so as we are close to release


/* Ioctls */
static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
{
        long ret;  
        struct cros_ec_command u_cmd;
        struct cros_ec_command *s_cmd;

        if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
                return -EFAULT;
 
        s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
                        GFP_KERNEL);

Pass u_cmd.insize as a very large value so that it overflows with the
sizeof to a small number which we kmalloc

	 if (!s_cmd)
                return -ENOMEM;

and copy u_cmd.outsize bytes into it.

        if (copy_from_user(s_cmd, arg, sizeof(*s_cmd) + u_cmd.outsize)) {
                ret = -EFAULT;
                goto exit;
        }


Alan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ