Received: by 10.223.176.5 with SMTP id f5csp1534260wra;
        Wed, 31 Jan 2018 07:50:50 -0800 (PST)
X-Google-Smtp-Source: AH8x225E9MIicMEZuatO74NWLb+2Cn58e+nDFFnCYN4Edoe3RlBPcKsRx9lrRiIVL16puD9jhbB7
X-Received: by 10.98.12.23 with SMTP id u23mr34028678pfi.81.1517413849883;
        Wed, 31 Jan 2018 07:50:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517413849; cv=none;
        d=google.com; s=arc-20160816;
        b=x+iydASgBAPsL2XOYpItiur3/+rmjE7SMr0rObfEC+YDURVxJhHuT2iZyoFenu1U5F
         Uz8HbY0Rw9GT6eyW2POOePPb3VzmXbvF2/40cYIbtIalEn+6OzLR44+g4O1xbaZ2lSKF
         oCIgOxkzt/ULyO7NMP8xDaK/lPF2N12E8r39mIqm1FpWYBp71Yuu0apmIk7au7vcYR0d
         0tCCkzW2Ro/kwdGhXDMzZIe1FkXLbjj5l12OhOto7g7swOsXvGQfV1PL8Jh8IbXUjP+F
         Lf3fYDCe6Y9AV/cVAluVmzJklMXpsoxSP07UVwUbiJaN1YAqWF06wgd/9JsMUOutrVYl
         3dYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=yDKI3pMnK/MYyLHtMtqgUrGAOhDvfftbo2TYbxSqQ4U=;
        b=r0s5VzUAPhxsDo8yUEGd0vx/kS1YC9AQVcv9nMdu8iaWH20ck3XkSr2C8CDXCaCyh+
         7HSbjlyLOr1lXT/0BIHCvBwtoDJcjRj4qSTUaCQ2l9XLxkEGAN4RhBwpfo9lTgGo4Jcj
         M4y0fKopg56dHCRIarpMZy3BhfxZvc9tA8JX1dt4gb7NvfpqJlJ2oPbP//oukKZd3VQh
         e3NsFBgPsQ5j9TxZ7rZcsj7Npk03tsbCWnZaSyTe4aRH482X4UsNb4GmHjn1doq4CGoo
         mmvtBVtF0P0bD46mirBVUKRC1/4Zq7ln3zk4wWy6/WmV9cAwoWKA0ikhLv5zgx1aVSxd
         OUyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=WuISkyEa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u4-v6si6337011plq.535.2018.01.31.07.50.34;
        Wed, 31 Jan 2018 07:50:49 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=WuISkyEa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932194AbeAaPtd (ORCPT <rfc822;sujaykul91@gmail.com> + 99 others);
        Wed, 31 Jan 2018 10:49:33 -0500
Received: from mail-vk0-f67.google.com ([209.85.213.67]:37486 "EHLO
        mail-vk0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932066AbeAaPtb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Jan 2018 10:49:31 -0500
Received: by mail-vk0-f67.google.com with SMTP id g83so9284110vki.4;
        Wed, 31 Jan 2018 07:49:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=yDKI3pMnK/MYyLHtMtqgUrGAOhDvfftbo2TYbxSqQ4U=;
        b=WuISkyEaChNppXytag3qyfJ0Glr49QJSehuO/lFtt0zwiLlE0wNvZ2Ay9zcuEk4wtn
         jgxMG4lGI6zc25x0yzIxOQ1/uGDHhqqLDEf31OcyMaNNZuvK4Ov3iCSAGTlrQKN28XBW
         WszIOjedeMLGI5mh0AuWGjl6vhMc6HpwQCdKAOGV0GQ2nwVCSvjT77cBLhDldr9dObA5
         IIpCYjJHZUof4RUnX8u0i0Fw4ysm2EEWgFEzu7wMXW6rb8n2VS9X/luK1Gc0vgyL0XnU
         4DVIkcGW3K9ny/taO//ZcA8mAs/MYipSAmrElilpAsWkIQUlLPYNLNpb+z3Ld10h9zLP
         8RPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=yDKI3pMnK/MYyLHtMtqgUrGAOhDvfftbo2TYbxSqQ4U=;
        b=Ir+xWvdcfqtPQt3mOnzxdQ/ZqEGoNQmdIeewMmwR8/HCpUA8M+BathYYvXvK5QRNM6
         4u5ZVM4SgBvlUgXNH+bxG2T02QaTMXijMUqGxxekMsRZopo+hzstBP6SzUtAvD+S2yfH
         B7Tv/5voTwCCg1wK3Ka0g0TevE48KdxUOBMhH9zqDtIyu70fTFpYIxrufY2fISntJ8Ai
         gCaAeTnQRgHdSYuN8NUWpmDT/9w3aujHLEQSItFPAED2YIQIb1ZR3Nm7F5+nKU3PVpPK
         1ajWqucuA0dJkk4e+t/eUC6Z4g35b0AVGOPbzA8AzOVNYSsLyAjHS/yFJ1Obp3etuba0
         KrLw==
X-Gm-Message-State: AKwxyte6p6lwK85fuBamTe2cqiyypVeQbmQYJCQ8KuDwNOUicvYZy/Jj
        xPJ7lz/OyvKv7XxJNtpidWsy8aRY8x82jPmkBhsKzw==
X-Received: by 10.31.99.2 with SMTP id x2mr25743237vkb.94.1517413770425; Wed,
 31 Jan 2018 07:49:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.78.22 with HTTP; Wed, 31 Jan 2018 07:49:10 -0800 (PST)
In-Reply-To: <20180131145755.26109-1-peter.malone@gmail.com>
References: <20180130203042.4797-1-peter.malone@gmail.com> <20180131145755.26109-1-peter.malone@gmail.com>
From:   Mathieu Malaterre <malat@debian.org>
Date:   Wed, 31 Jan 2018 16:49:10 +0100
X-Google-Sender-Auth: 3v3tbi68gG8NgkGdz0pvc2SKU5Q
Message-ID: <CA+7wUsyy+g5evf0SQ+AWZdUzHR9uh1dBWYJm6z+c13XvVtyerw@mail.gmail.com>
Subject: Re: [PATCH v2] Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC
 in sbusfb_ioctl_helper().
To:     Peter Malone <peter.malone@gmail.com>
Cc:     Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
        Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
        dri-devel <dri-devel@lists.freedesktop.org>,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Peter,

On Wed, Jan 31, 2018 at 3:57 PM, Peter Malone <peter.malone@gmail.com> wrote:
> Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
> sbusfb_ioctl_helper().
>
> 'index' is defined as an int in sbusfb_ioctl_helper().
> We retrieve this from the user:
> if (get_user(index, &c->index) ||
>     __get_user(count, &c->count) ||
>     __get_user(ured, &c->red) ||
>     __get_user(ugreen, &c->green) ||
>     __get_user(ublue, &c->blue))
>        return -EFAULT;
>
> and then we use 'index' in the following way:
> red = cmap->red[index + i] >> 8;
> green = cmap->green[index + i] >> 8;
> blue = cmap->blue[index + i] >> 8;
>
> This is a classic information leak vulnerability. 'index' should be
> an unsigned int, given its usage above.
>
> This patch is straight-forward; it changes 'index' to unsigned int
> in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.
>
> Signed-off-by: Peter Malone <peter.malone@gmail.com>
> ---

much better :)

> v2: fixed formatting
>
>  drivers/video/fbdev/sbuslib.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
> index af6fc97f4ba4..a436d44f1b7f 100644
> --- a/drivers/video/fbdev/sbuslib.c
> +++ b/drivers/video/fbdev/sbuslib.c
> @@ -122,7 +122,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
>                 unsigned char __user *ured;
>                 unsigned char __user *ugreen;
>                 unsigned char __user *ublue;
> -               int index, count, i;
> +               unsigned int index, count, i;
>
>                 if (get_user(index, &c->index) ||
>                     __get_user(count, &c->count) ||
> @@ -161,7 +161,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
>                 unsigned char __user *ugreen;
>                 unsigned char __user *ublue;
>                 struct fb_cmap *cmap = &info->cmap;
> -               int index, count, i;
> +               unsigned int index, count, i;
>                 u8 red, green, blue;
>
>                 if (get_user(index, &c->index) ||
> --
> 2.14.3
>

By just looking at the code and commit message:

Acked-by: Mathieu Malaterre <malat@debian.org>