| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <99a2b46bcc2885ee9ad790bb2fc3305ac1bbc81c.1480572271.git.fthain@telegraphics.com.au>
Date: Thu, 1 Dec 2016 01:09:33 -0500 (EST)
From: Finn Thain <fthain@...egraphics.com.au>
To: Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: linux-m68k@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-kernel@...r.kernel.org
Subject: [PATCH 04/10] via-cuda: Prevent read buffer overflow
If the Cuda driver does not enter the 'read_done' state for some
reason, it may continue in the 'reading' state until the buffer
overflows. Add a bounds check to prevent this.
Tested-by: Stan Johnson <userm57@...oo.com>
Signed-off-by: Finn Thain <fthain@...egraphics.com.au>
---
drivers/macintosh/via-cuda.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/macintosh/via-cuda.c b/drivers/macintosh/via-cuda.c
index 64626d2..acf3a95 100644
--- a/drivers/macintosh/via-cuda.c
+++ b/drivers/macintosh/via-cuda.c
@@ -470,6 +470,8 @@ cuda_poll(void)
}
EXPORT_SYMBOL(cuda_poll);
+#define ARRAY_FULL(a, p) ((p) - (a) == ARRAY_SIZE(a))
+
static irqreturn_t
cuda_interrupt(int irq, void *arg)
{
@@ -558,7 +560,11 @@ cuda_interrupt(int irq, void *arg)
break;
case reading:
- *reply_ptr++ = in_8(&via[SR]);
+ if (reading_reply ? ARRAY_FULL(current_req->reply, reply_ptr)
+ : ARRAY_FULL(cuda_rbuf, reply_ptr))
+ (void)in_8(&via[SR]);
+ else
+ *reply_ptr++ = in_8(&via[SR]);
if (!TREQ_asserted(status)) {
/* that's all folks */
negate_TIP_and_TACK();
--
2.7.3
Powered by blists - more mailing lists