lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <YP+bINav7znIU6xF@kroah.com>
Date:   Tue, 27 Jul 2021 07:35:28 +0200
From:   "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
To:     tcs_kernel(腾讯云内核开发者) 
        <tcs_kernel@...cent.com>
Cc:     Sam Ravnborg <sam@...nborg.org>,
        "daniel.vetter@...ll.ch" <daniel.vetter@...ll.ch>,
        "yepeilin.cs@...il.com" <yepeilin.cs@...il.com>,
        "penguin-kernel@...ove.SAKURA.ne.jp" 
        <penguin-kernel@...ove.sakura.ne.jp>,
        "tzimmermann@...e.de" <tzimmermann@...e.de>,
        "george.kennedy@...cle.com" <george.kennedy@...cle.com>,
        "ducheng2@...il.com" <ducheng2@...il.com>,
        "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        "linux-fbdev@...r.kernel.org" <linux-fbdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Internet]Re: [PATCH] fbcon: Out-Of-Bounds write in
 sys_imageblit, add range check

On Tue, Jul 27, 2021 at 01:53:13AM +0000, tcs_kernel(腾讯云内核开发者) wrote:
> yres and vyres can be controlled by user mode paramaters, and cause p->vrows to become a negative value. While this value be passed to real_y function, the ypos will be out of screen range.
> This is an out-of-bounds write bug.
> I think updatescrollmode is the right place to validate values supplied by a user ioctl, because only here makes --operation,and 0 is a legal value before that.

Please wrap your changelog text.

> 
> Signed-off-by: Tencent Cloud System tcs_kernel@...cent.com

That is not the name of a person :(

And the format isn't correct, so there's nothing we can do with this
patch, and the patch itself is corrupted and could not be applied :(

Also, what about checking these values earlier?  How can the value be 0
earlier and be acceptable?  Putting bounds on the user-provided values
would be much easier, right?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ