| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Apr 2018 03:16:45 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Wolfram Sang <wsa@...-dreams.de>, linux-i2c@...r.kernel.org,
linux-kernel@...r.kernel.org, sil2review@...ts.osadl.org,
Dmitry Vyukov <dvyukov@...gle.com>,
Alexander Popov <alex.popov@...ux.com>
Subject: [PATCH 1/1] i2c: dev: check i2c_msg len before memdup_user() to prevent ZERO_SIZE_PTR deref
Currently i2cdev_ioctl_rdwr() doesn't check i2c_msg len against zero
before calling memdup_user(). If this len is zero memdup_user() returns
ZERO_SIZE_PTR, which is later considered as valid since
IS_ERR(ZERO_SIZE_PTR) is false. That causes ZERO_SIZE_PTR deref oops.
Let's check i2c_msg len against zero before calling memdup_user().
This issue was triggered by syzkaller.
Signed-off-by: Alexander Popov <alex.popov@...ux.com>
---
drivers/i2c/i2c-dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 036a03f..b9b6715 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -252,8 +252,8 @@ static noinline int i2cdev_ioctl_rdwr(struct i2c_client *client,
res = 0;
for (i = 0; i < nmsgs; i++) {
- /* Limit the size of the message to a sane amount */
- if (msgs[i].len > 8192) {
+ /* Check that the size is sane */
+ if (!msgs[i].len || msgs[i].len > 8192) {
res = -EINVAL;
break;
}
--
2.7.4
Powered by blists - more mailing lists