| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211209143501.GA3041@kili>
Date: Thu, 9 Dec 2021 17:35:01 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Benson Leung <bleung@...omium.org>,
Bill Richardson <wfrichar@...omium.org>
Cc: Guenter Roeck <groeck@...omium.org>,
Javier Martinez Canillas <javier@....samsung.com>,
Olof Johansson <olof@...om.net>,
Gwendal Grignou <gwendal@...omium.org>,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH] platform/chrome: cros_ec: fix read overflow in
cros_ec_lpc_readmem()
If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
bytes" is a very high unsigned value and basically offset is
accepted. The second problem is that it uses >= instead of > so this
means that we are not able to read the very last byte.
Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
index d6306d2a096f..7e1d175def9f 100644
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
char *s = dest;
int cnt = 0;
- if (offset >= EC_MEMMAP_SIZE - bytes)
+ if (offset > EC_MEMMAP_SIZE ||
+ bytes > EC_MEMMAP_SIZE - offset)
return -EINVAL;
/* fixed length */
--
2.20.1
Powered by blists - more mailing lists