From patchwork Wed Jan 31 14:57:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Malone X-Patchwork-Id: 10194109 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 62E85603EE for ; Wed, 31 Jan 2018 14:58:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 563942872B for ; Wed, 31 Jan 2018 14:58:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 493D228732; Wed, 31 Jan 2018 14:58:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E79AD2872B for ; Wed, 31 Jan 2018 14:58:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753312AbeAaO6s (ORCPT ); Wed, 31 Jan 2018 09:58:48 -0500 Received: from mail-yw0-f195.google.com ([209.85.161.195]:45498 "EHLO mail-yw0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752544AbeAaO6r (ORCPT ); Wed, 31 Jan 2018 09:58:47 -0500 Received: by mail-yw0-f195.google.com with SMTP id b16so4878766ywh.12 for ; Wed, 31 Jan 2018 06:58:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=3Nh7QL65O8jDZe2YmCA5Kp8xuigWyDdpoUK8MC5afyI=; b=deu9xfJOhKJXpauzMT5otSzsQ0IXGBpQjEKpNT10BGlxJvNWhFaQSe80ycDXcHdxRF m5Wr96fuVtodYv0sWpFi2dczGr6i3YG74X6dk+IEVWFl3ONk5ds7omZsszNGcA5IBC0/ 6cXT5iG867RQXRB6Zl7Wu+lJfv05Fzu9O2msJV+ss3rpOQpeO/oATqm30e44/0g9qDH7 jR2FqCQeaw/bxuQsMQk8UBx+tgTPzluLh+zmVZOSWmTLDD0RPOTBi01H77fxCBxwmeQA JXO+8k+wozs985SylKFk9YJbS9SRwt2Jzc9m8nPwcNgJYm5LUdOF4pCaPz73xVCl+3Wh 5P5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=3Nh7QL65O8jDZe2YmCA5Kp8xuigWyDdpoUK8MC5afyI=; b=CPw3xSmZIKEAz+pOzBopj/KLa/1iWgUoF+teRrs+yRqk8MJzx8IghRCUx5HFzuCSZb ZsIRwBmBLrXJNQvkp7tdgJmmlMZqgoZB3oUswwqVliMywF8mwh1p+WMCRbS5m+vukBm3 M7Ovc/c8uF2OY4xY9r0zwrAzSy0DE42yRGjs6mvQ1zoOJ8DxZA8DfF3EQh71K+gxRX2G EpEhadRUFLC3Z+M/D4aHtGxLN69fPljrFH6JMXNnXkkN7/1a944WgM0GZZBmOI1h7nQ+ HUzFBlUHCP8NjHo9bd90AKMoJnZcA6+OKNAA+XvCA/euWqwtLfVUQJYBg0hAxQ1p/3cy zd7w== X-Gm-Message-State: AKwxytdi6sJHoPjH1jqpZ8DJYQUnujacoD0OOnoAaLKWgyh8PsNYhxKR zGX57agtaGk8Pf0FTbdXkbJ2JIaFIX4= X-Google-Smtp-Source: AH8x224jDSPICpDaBeCfguK5F4HoqOJmZHII7qBzgwGN57vMOXxpmWj0r7LlzTVcewfdoVuagSQr1Q== X-Received: by 10.129.88.70 with SMTP id m67mr21653006ywb.352.1517410726670; Wed, 31 Jan 2018 06:58:46 -0800 (PST) Received: from Eire.localdomain (cpe-45-37-207-0.nc.res.rr.com. [45.37.207.0]) by smtp.gmail.com with ESMTPSA id f4sm6159552ywa.99.2018.01.31.06.58.45 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 31 Jan 2018 06:58:46 -0800 (PST) From: Peter Malone To: linux-fbdev@vger.kernel.org Cc: malat@debian.org, Peter Malone Subject: [PATCH v2] Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). Date: Wed, 31 Jan 2018 09:57:55 -0500 Message-Id: <20180131145755.26109-1-peter.malone@gmail.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180130203042.4797-1-peter.malone@gmail.com> References: <20180130203042.4797-1-peter.malone@gmail.com> Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). 'index' is defined as an int in sbusfb_ioctl_helper(). We retrieve this from the user: if (get_user(index, &c->index) || __get_user(count, &c->count) || __get_user(ured, &c->red) || __get_user(ugreen, &c->green) || __get_user(ublue, &c->blue)) return -EFAULT; and then we use 'index' in the following way: red = cmap->red[index + i] >> 8; green = cmap->green[index + i] >> 8; blue = cmap->blue[index + i] >> 8; This is a classic information leak vulnerability. 'index' should be an unsigned int, given its usage above. This patch is straight-forward; it changes 'index' to unsigned int in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. Signed-off-by: Peter Malone Acked-by: Mathieu Malaterre --- v2: fixed formatting drivers/video/fbdev/sbuslib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c index af6fc97f4ba4..a436d44f1b7f 100644 --- a/drivers/video/fbdev/sbuslib.c +++ b/drivers/video/fbdev/sbuslib.c @@ -122,7 +122,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, unsigned char __user *ured; unsigned char __user *ugreen; unsigned char __user *ublue; - int index, count, i; + unsigned int index, count, i; if (get_user(index, &c->index) || __get_user(count, &c->count) || @@ -161,7 +161,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, unsigned char __user *ugreen; unsigned char __user *ublue; struct fb_cmap *cmap = &info->cmap; - int index, count, i; + unsigned int index, count, i; u8 red, green, blue; if (get_user(index, &c->index) ||