lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 27 Apr 2018 14:06:58 +0200
From:   Wolfram Sang <wsa@...-dreams.de>
To:     Alexander Popov <alex.popov@...ux.com>
Cc:     Uwe Kleine-König 
        <u.kleine-koenig@...gutronix.de>, linux-i2c@...r.kernel.org,
        linux-kernel@...r.kernel.org, sil2review@...ts.osadl.org,
        Dmitry Vyukov <dvyukov@...gle.com>, syzkaller@...glegroups.com
Subject: Re: [v2 1/1] i2c: dev: prevent ZERO_SIZE_PTR deref in
 i2cdev_ioctl_rdwr()

On Thu, Apr 19, 2018 at 03:29:22PM +0300, Alexander Popov wrote:
> i2cdev_ioctl_rdwr() allocates i2c_msg.buf using memdup_user(), which
> returns ZERO_SIZE_PTR if i2c_msg.len is zero.
> 
> Currently i2cdev_ioctl_rdwr() always dereferences the buf pointer in case
> of I2C_M_RD | I2C_M_RECV_LEN transfer. That causes a kernel oops in
> case of zero len.
> 
> Let's check the len against zero before dereferencing buf pointer.
> 
> This issue was triggered by syzkaller.
> 
> Signed-off-by: Alexander Popov <alex.popov@...ux.com>

Applied to for-current with the arithmetic expression changed to '< 1'
to keep in sync with the previous one. Will push out soon, so you can
double check if you are interested.

Thanks for the debugging, Alexander!


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ