lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 8 Jan 2020 09:11:48 +0100
From:   Pavel Machek <pavel@...x.de>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Daniel Vetter <daniel.vetter@...el.com>,
        syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com,
        Kees Cook <keescook@...omium.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Stephen Rothwell <sfr@...b.auug.org.au>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH 4.19 040/115] drm: limit to INT_MAX in create_blob ioctl

On Tue 2020-01-07 21:54:10, Greg Kroah-Hartman wrote:
> From: Daniel Vetter <daniel.vetter@...ll.ch>
> 
> [ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ]
> 
> The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
> ("uaccess: disallow > INT_MAX copy sizes")

> Code itself should have been fine as-is.
> 
> Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
> Signed-off-by: Daniel Vetter <daniel.vetter@...el.com>
> Reported-by: syzbot+fb77e97ebf0612ee6914@...kaller.appspotmail.com
> Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")

There is no such thing as commit 6a30afa8c1fb. Apparently this is
talking about commit "6d13de1489b6bf539695f96d945de3860e6d5e17", but
that one is not in 4.19-stable.

Do we need this in 4.19-stable?
								Pavel

> +++ b/drivers/gpu/drm/drm_property.c
> @@ -556,7 +556,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
>  	struct drm_property_blob *blob;
>  	int ret;
>  
> -	if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
> +	if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
>  		return ERR_PTR(-EINVAL);
>  
>  	blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ