lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <X9fugmc5XldpHqnW@google.com>
Date:   Mon, 14 Dec 2020 15:00:18 -0800
From:   Dmitry Torokhov <dmitry.torokhov@...il.com>
To:     Arnd Bergmann <arnd@...nel.org>
Cc:     Dudley Du <dudl@...ress.com>, Arnd Bergmann <arnd@...db.de>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        linux-input@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] input: cyapa_gen6: fix out-of-bounds stack access

On Mon, Oct 26, 2020 at 05:13:29PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
> 
> gcc -Warray-bounds warns about a serious bug in
> cyapa_pip_retrieve_data_structure:
> 
> drivers/input/mouse/cyapa_gen6.c: In function 'cyapa_pip_retrieve_data_structure.constprop':
> include/linux/unaligned/access_ok.h:40:17: warning: array subscript -1 is outside array bounds of 'struct retrieve_data_struct_cmd[1]' [-Warray-bounds]
>    40 |  *((__le16 *)p) = cpu_to_le16(val);
> drivers/input/mouse/cyapa_gen6.c:569:13: note: while referencing 'cmd'
>   569 |  } __packed cmd;
>       |             ^~~
> 
> Apparently the '-2' was added to the pointer instead of the value,
> writing garbage into the stack next to this variable.
> 
> Fixes: c2c06c41f700 ("Input: cyapa - add gen6 device module support")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>

Applied, thank you.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ