lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170224175502.GA23284@kroah.com>
Date:   Fri, 24 Feb 2017 18:55:02 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Johan Hovold <johan@...nel.org>
Cc:     Ben Hutchings <ben@...adent.org.uk>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH 4.4 17/25] USB: serial: digi_acceleport: fix OOB data
 sanity check

On Fri, Feb 24, 2017 at 06:33:04PM +0100, Johan Hovold wrote:
> On Fri, Feb 24, 2017 at 01:38:25PM +0000, Ben Hutchings wrote: > On Fri, 2017-02-24 at 09:25 +0100, Greg Kroah-Hartman wrote:
> > > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > > 
> > > ------------------
> > > 
> > > From: Johan Hovold <johan@...nel.org>
> > > 
> > > commit 2d380889215fe20b8523345649dee0579821800c upstream.
> > > 
> > > Make sure to check for short transfers to avoid underflow in a loop
> > > condition when parsing the receive buffer.
> > > 
> > > Also fix an off-by-one error in the incomplete sanity check which could
> > > lead to invalid data being parsed.
> > 
> > This appears to *introduce* an off-by-one.  Which is not as serious as
> > the underflow, but is still a regression.
> > 
> > Suppose we have urb->actual_length == 4:
> > 
> > [...]
> > > -	for (i = 0; i < urb->actual_length - 3;) {
> > 
> > i < 1 is true, so we would run the loop once.
> > 
> > > -		opcode = ((unsigned char *)urb->transfer_buffer)[i++];
> > > -		line = ((unsigned char *)urb->transfer_buffer)[i++];
> > > -		status = ((unsigned char *)urb->transfer_buffer)[i++];
> > > -		val = ((unsigned char *)urb->transfer_buffer)[i++];
> > > +	for (i = 0; i < urb->actual_length - 4; i += 4) {
> > 
> > i < 0 is false, so we now skip the loop.
> 
> Good catch, thanks! The original loop condition was indeed correct
> (modulo the missing underflow check), and I'll post a follow-up fix to
> address this.
> 
> > > +		opcode = buf[i];
> > > +		line = buf[i + 1];
> > > +		status = buf[i + 2];
> > > +		val = buf[i + 3];
> 
> You should probably not apply this one until after the follow-up is in
> Linus' tree as this patch breaks TIOCMGET.

Ok, I'll drop this one from the stable tree now.  Remind me to pick this
one up when the fixup hits Linus's tree.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ