lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 6 Mar 2020 01:30:47 +0100
From:   Samuel Thibault <samuel.thibault@...-lyon.org>
To:     akpm@...ux-foundation.org
Cc:     speakup@...ille.uwo.ca, linux-kernel@...r.kernel.org
Subject: [PATCH] staging/speakup: fix get_word non-space look-ahead

get_char was erroneously given the address of the pointer to the text
instead of the address of the text, thus leading to random crashes when
the user requests speaking a word while the current position is on a space
character and say_word_ctl is not enabled.

Cc: stable@...r.kernel.org
Reported-on: https://github.com/bytefire/speakup/issues/1
Reported-by: Kirk Reiser <kirk@...sers.ca>
Reported-by: Janina Sajka <janina@...note.net>
Reported-by: Alexandr Epaneshnikov <aarnaarn2@...il.com>
Reported-by: Gregory Nowak <greg@...gn.net>
Reported-by: deedra waters <deedra@...-brannons.com>
Signed-off-by: Samuel Thibault <samuel.thibault@...-lyon.org>
Tested-by: Alexandr Epaneshnikov <aarnaarn2@...il.com>
Tested-by: Gregory Nowak <greg@...gn.net>
Tested-by: Michael Taboada <michael@...haels.world>
---
 drivers/staging/speakup/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/speakup/main.c b/drivers/staging/speakup/main.c
index 488f2539aa9a..81ecfd1a200d 100644
--- a/drivers/staging/speakup/main.c
+++ b/drivers/staging/speakup/main.c
@@ -561,7 +561,7 @@ static u_long get_word(struct vc_data *vc)
 		return 0;
 	} else if (tmpx < vc->vc_cols - 2 &&
 		   (ch == SPACE || ch == 0 || (ch < 0x100 && IS_WDLM(ch))) &&
-		   get_char(vc, (u_short *)&tmp_pos + 1, &temp) > SPACE) {
+		   get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE) {
 		tmp_pos += 2;
 		tmpx++;
 	} else {
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ