Received: by 10.223.176.5 with SMTP id f5csp1533722wra; Sun, 4 Feb 2018 06:19:51 -0800 (PST) X-Google-Smtp-Source: AH8x227rKJtycezC+pzzpc0omrKSR4B+gA3sK8vWV0CaUkuPiDZwKg5u5wdcnAhkzgTOJItJDMbU X-Received: by 10.99.123.3 with SMTP id w3mr3772899pgc.173.1517753991385; Sun, 04 Feb 2018 06:19:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517753991; cv=none; d=google.com; s=arc-20160816; b=L5nHsNv+UKikCd2hwl6+1p9TNgrmAnUBIOxmEq73EN1C7hA20cWMsnddeS2eZNU1To ZdhkET8fQiyQ7DHzFJYl0gnfK5sjhDsXxJmbm4MIrUV8MiFvZc1Aki5ZnLSSnL1MhKzL 6jRAQpQlTwAtezffeobwn0fzRpk/N9puMkZI3fdv6Ml2Gc4N/Cfe8RFlaYgqO+TTmlul RhniUeTdU4MFnEip3IQtAdcpMT7j2HVNh7D7xdsNu6M/5y1XEf0kz70pH13JdYrXXZ+0 W4562mVplc0GMBG0tEk/q3zJqKdGICExbjyr7XV8+dxbcLD1k0/Aim2y6OhS1dWataSh +wsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=oZDRkatGLYlz7X/tBb3snVy58u6LaMpkHIukHQ+dw3I=; b=M2BHW3HtYPlIblS5kHdF9n4eCYgvB9rkD6aazXoElu5ucnlUeOZjgY4a8F9+wz2kWV JRVCM+jVUhjox5p6q33N1uQ4j2aoSeYDjngiFXVm3Md9IOpZFegvo+BUsMIBWSNdJjIS FVUzJmMPYRmUekXGqUh965oaMJZZh6eiMk9EqVMM+pXJW5ExOMBu05NUIfRh06f+i5rg Ly8X4fmCdbV1tPg9wPoeSbs9TPfP5WPqE4QZo6lZtOue/nPOJzi4QvCk+/7q8nQuYOLe XjItgslmMNSvPpvnpik3t8dXcGar7pwIaEt4rqDNrERnXLUNX3NdxfXPmGSVxOuwihlv FbjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sTpGlmwZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d13-v6si5581046pln.747.2018.02.04.06.19.36; Sun, 04 Feb 2018 06:19:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sTpGlmwZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751901AbeBDOSL (ORCPT + 99 others); Sun, 4 Feb 2018 09:18:11 -0500 Received: from mail-ot0-f195.google.com ([74.125.82.195]:41401 "EHLO mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750868AbeBDOSE (ORCPT ); Sun, 4 Feb 2018 09:18:04 -0500 Received: by mail-ot0-f195.google.com with SMTP id r23so23156133ote.8; Sun, 04 Feb 2018 06:18:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oZDRkatGLYlz7X/tBb3snVy58u6LaMpkHIukHQ+dw3I=; b=sTpGlmwZ2FObYUT1107RfZ50HGswL8MLkavKoCRYDo3sQLaynHCaOqADoyEOkJ7VDi ie9P5oCt5HRZrURijg78IELb4bccoTxVA+l9+9cpxOC6D3xtXyduqx9zmBIw+ttQnoNn poEOoBDZrJMbqDTBnkHSY23gAQPmKEawa/89/zzY5w0mtz5WzoCmet0zSPRhQbIn73px C2fFiuG0Lf7Y8GWkUiRS5yCQFjeSTBLmNvr3lxdnmz4wbtmSPPL+JWWW2KCPj5jS+llm jJuQQre4Y7JgvZS0uIDy+YtTvsyPke6277RnLHIp/6vxyZWSFsDJmeULQJzbJfYdchaY Kwvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oZDRkatGLYlz7X/tBb3snVy58u6LaMpkHIukHQ+dw3I=; b=NryA9NmLuJwxrlZLVIxS3iATAsJW9+j17IvNLxuSBCFVQ/7NhraBz75o81WsJVNH9J AXHqRAXiLa57WKpekkVLDoVz28TYROt79OFifYorTCxw9WEf31vc+nuzA9XjMU4gmIjn Lj+lCFIQ3ifu46e3bT/o70qoi8NHOwoW+ht0vqtY2Gdeuj9xodaNNwwAnjcdxS3LScvg 0BA/i5UQKC5HeMUv7Ix1S6YUsrlnN0TFSTJzCdtFRVDVk1pLB9wdIUDdu5Iimn0NNpl5 b45KSBMmVgqBaWPHKaZD4nIG+A7LiXHhYDIWKBQrbkLWZZv2y3/+RmZhqnSTK5fusFS+ tFbw== X-Gm-Message-State: AKwxyte6Uxn07vKSIjIhDXbcEy6C5O2XQ54Uk9f2Oo0eE/cunm2nenoP cH8hMG1i6ZGGkqsuvbitKHTTGWZGq8zQ1hTIKvE= X-Received: by 10.157.38.247 with SMTP id i52mr15484470otd.378.1517753883913; Sun, 04 Feb 2018 06:18:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.74.153.236 with HTTP; Sun, 4 Feb 2018 06:18:03 -0800 (PST) In-Reply-To: References: <20180130203042.4797-1-peter.malone@gmail.com> <20180131145755.26109-1-peter.malone@gmail.com> From: Peter Malone Date: Sun, 4 Feb 2018 09:18:03 -0500 Message-ID: Subject: Re: [PATCH v2] Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). To: Mathieu Malaterre Cc: Linux Fbdev development list , Bartlomiej Zolnierkiewicz , dri-devel , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi folks, CVE-2018-6412 has been created for this. Is it possible for you to add a note indicating the CVE number when merging the patch? I received the CVE number after the patch was created and ack'd, which is why I didn't include it in the commit message. On Wed, Jan 31, 2018 at 10:49 AM, Mathieu Malaterre wrote: > Hi Peter, > > On Wed, Jan 31, 2018 at 3:57 PM, Peter Malone wrote: >> Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in >> sbusfb_ioctl_helper(). >> >> 'index' is defined as an int in sbusfb_ioctl_helper(). >> We retrieve this from the user: >> if (get_user(index, &c->index) || >> __get_user(count, &c->count) || >> __get_user(ured, &c->red) || >> __get_user(ugreen, &c->green) || >> __get_user(ublue, &c->blue)) >> return -EFAULT; >> >> and then we use 'index' in the following way: >> red = cmap->red[index + i] >> 8; >> green = cmap->green[index + i] >> 8; >> blue = cmap->blue[index + i] >> 8; >> >> This is a classic information leak vulnerability. 'index' should be >> an unsigned int, given its usage above. >> >> This patch is straight-forward; it changes 'index' to unsigned int >> in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. >> >> Signed-off-by: Peter Malone >> --- > > much better :) > >> v2: fixed formatting >> >> drivers/video/fbdev/sbuslib.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c >> index af6fc97f4ba4..a436d44f1b7f 100644 >> --- a/drivers/video/fbdev/sbuslib.c >> +++ b/drivers/video/fbdev/sbuslib.c >> @@ -122,7 +122,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, >> unsigned char __user *ured; >> unsigned char __user *ugreen; >> unsigned char __user *ublue; >> - int index, count, i; >> + unsigned int index, count, i; >> >> if (get_user(index, &c->index) || >> __get_user(count, &c->count) || >> @@ -161,7 +161,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, >> unsigned char __user *ugreen; >> unsigned char __user *ublue; >> struct fb_cmap *cmap = &info->cmap; >> - int index, count, i; >> + unsigned int index, count, i; >> u8 red, green, blue; >> >> if (get_user(index, &c->index) || >> -- >> 2.14.3 >> > > By just looking at the code and commit message: > > Acked-by: Mathieu Malaterre -- Regards, Peter.