From patchwork Thu Jul 14 13:12:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ning Qiang X-Patchwork-Id: 12917990 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6A2DC43334 for ; Thu, 14 Jul 2022 13:43:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239193AbiGNNnT (ORCPT ); Thu, 14 Jul 2022 09:43:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232220AbiGNNnS (ORCPT ); Thu, 14 Jul 2022 09:43:18 -0400 X-Greylist: delayed 1811 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 14 Jul 2022 06:43:14 PDT Received: from m1524.mail.126.com (m1524.mail.126.com [220.181.15.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 75A7160682 for ; Thu, 14 Jul 2022 06:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=126.com; s=s110527; h=Date:From:Subject:MIME-Version:Message-ID; bh=IUba6 aaLMotz8Rezt+44pHbMNxmOG/cOfwNYf53AFq8=; b=S0nZJISqtLHN6aJq8RuqU shAteDdoRouMP0OgIGx+DqAgIq/qMIC30yJ3lqceywdTJDY17wzykm+J3WWFvZI2 gnHqSBPIZYgIk1VyB6GsVi5OPULloDpB0ilgS+aF9MGJdnaG+TylJwXiu/11p6nL WmQ6COGiRA6YJUFWUEcHns= Received: from sohu0106$126.com ( [218.247.43.97] ) by ajax-webmail-wmsvr24 (Coremail) ; Thu, 14 Jul 2022 21:12:38 +0800 (CST) X-Originating-IP: [218.247.43.97] Date: Thu, 14 Jul 2022 21:12:38 +0800 (CST) From: sohu0106 To: tsbogend@alpha.franken.de Cc: linux-mips@vger.kernel.org, security@kernel.org Subject: buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c X-Priority: 3 X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20220113(9671e152) Copyright (c) 2002-2022 www.mailtech.cn 126com MIME-Version: 1.0 Message-ID: <71b5d25.71d1.181fcd701cf.Coremail.sohu0106@126.com> X-Coremail-Locale: zh_CN X-CM-TRANSID: GMqowAAXJiZHFtBi+mlIAA--.5104W X-CM-SenderInfo: pvrk3iqrqwqiyswou0bp/1tbi7Qc+HlpEAZeXQgAAsX X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU== Precedence: bulk List-ID: X-Mailing-List: linux-mips@vger.kernel.org In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)". diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c index d0d832a..bd1f826 100644 --- a/arch/mips/kernel/vpe.c_org +++ b/arch/mips/kernel/vpe.c @@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer, if (v == NULL) return -ENODEV; - if ((count + v->len) > v->plen) { + if ((count + v->len) > v->plen || count + v->len > v->len) { pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n"); return -ENOMEM; }