| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Nov 2019 20:55:50 -0500
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Dan Carpenter <dan.carpenter@...cle.com>,
Peter Malone <peter.malone@...il.com>,
Philippe Ombredanne <pombredanne@...b.com>,
Mathieu Malaterre <malat@...ian.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Sasha Levin <sashal@...nel.org>,
dri-devel@...ts.freedesktop.org, linux-fbdev@...r.kernel.org
Subject: [PATCH AUTOSEL 4.14 083/115] fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
From: Dan Carpenter <dan.carpenter@...cle.com>
[ Upstream commit e5017716adb8aa5c01c52386c1b7470101ffe9c5 ]
The "index + count" addition can overflow. Both come directly from the
user. This bug leads to an information leak.
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Peter Malone <peter.malone@...il.com>
Cc: Philippe Ombredanne <pombredanne@...b.com>
Cc: Mathieu Malaterre <malat@...ian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/video/fbdev/sbuslib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index 90c51330969c2..01a7110e61a76 100644
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
get_user(ublue, &c->blue))
return -EFAULT;
- if (index + count > cmap->len)
+ if (index > cmap->len || count > cmap->len - index)
return -EINVAL;
for (i = 0; i < count; i++) {
--
2.20.1
Powered by blists - more mailing lists