| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180430071310.7s7glgig3cilw4dj@pengutronix.de>
Date: Mon, 30 Apr 2018 09:13:10 +0200
From: Uwe Kleine-König
<u.kleine-koenig@...gutronix.de>
To: Wolfram Sang <wsa@...-dreams.de>
Cc: Alexander Popov <alex.popov@...ux.com>, linux-i2c@...r.kernel.org,
linux-kernel@...r.kernel.org, sil2review@...ts.osadl.org,
Dmitry Vyukov <dvyukov@...gle.com>, syzkaller@...glegroups.com
Subject: Re: [v2 1/1] i2c: dev: prevent ZERO_SIZE_PTR deref in
i2cdev_ioctl_rdwr()
On Fri, Apr 27, 2018 at 02:06:58PM +0200, Wolfram Sang wrote:
> On Thu, Apr 19, 2018 at 03:29:22PM +0300, Alexander Popov wrote:
> > i2cdev_ioctl_rdwr() allocates i2c_msg.buf using memdup_user(), which
> > returns ZERO_SIZE_PTR if i2c_msg.len is zero.
> >
> > Currently i2cdev_ioctl_rdwr() always dereferences the buf pointer in case
> > of I2C_M_RD | I2C_M_RECV_LEN transfer. That causes a kernel oops in
> > case of zero len.
> >
> > Let's check the len against zero before dereferencing buf pointer.
> >
> > This issue was triggered by syzkaller.
> >
> > Signed-off-by: Alexander Popov <alex.popov@...ux.com>
>
> Applied to for-current with the arithmetic expression changed to '< 1'
> to keep in sync with the previous one. Will push out soon, so you can
> double check if you are interested.
Thanks, I like it. An added bonus is also that you don't need to think
about the type of msgs[i].len and what happens if it is negative.
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Powered by blists - more mailing lists