Received: by 10.223.185.116 with SMTP id b49csp5013555wrg; Wed, 7 Mar 2018 05:05:36 -0800 (PST) X-Google-Smtp-Source: AG47ELtsIryr9urOJkLSEj2sKRgt+BDoJF9gatftGOQyRNNyHK2l/LBnYak01mnOimnQrk6Rn8Xi X-Received: by 10.99.107.202 with SMTP id g193mr17744510pgc.38.1520427936246; Wed, 07 Mar 2018 05:05:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520427936; cv=none; d=google.com; s=arc-20160816; b=YzyTiyw7k3J0LUkpKnuPQu6Df2+VGjUDgnw6xk/JbMtAB8cMWCPufWWpvqsiblHYkJ VeMI1ozJ9hMJy+tWPmd57SH7G3qKHfDxep2Ym234Wa/jcFmE2VaKdb+uk9rbPIxeZpCF LqEXm0ZFJtHFjGZmXk4vJVUfGAd5fzx9gXw5oCJZ5tbssKD/PqTD4p9UkHcMfSVGCLHB /p+2nXYAjN/AyMcfBeyLdh4GN5pKIfPSh3LBpNZ1Rh+Q1EM3FGAkimoRrxi6brh5KOjW jGqolsh6Oxwwj3nfyBN4M3kr5S2gZQF5hY399TUxlsq7RZWs4afVAdKYrqKsBFylMGCV bWxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:cms-type :content-transfer-encoding:mime-version:in-reply-to:user-agent :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :arc-authentication-results; bh=zyniat2jNLqDgat7FFcJ30tCwt3r6PLvIcvtMQ16Oo4=; b=X1f3hE/UN2vHiHWqIVfgbLmoQ1zRSTUj3mnLsRFKvCR/L55FDpKLSx5U4Fz3QwRegs 8JgzoZWVBtgTEALKZl1PpUjSjO3HwQ0t2kYA5S79C3c40pZcZQiH0slwIbHnVODqDTeM Pkenni6sEOsBoB5ggm0BIpzUiHGM7Ajqp2acDf98UvKlVxiRX8B3PnQqWFW3V3X8v7Ja BgDyv6eO58Pe0tVlasFX80pSNiFDrYpOGy0oK00pZ1Jg7CSKUk+ikmWefzJC4w7/sBS7 GWZedb9W/2h0qsRMt0h+hSK6sQqszz2nfN6CbhMIHg2HC5neR/ydjXFEnef1mYC6SVEV VaSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=U9HgVS2r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a80si13800370pfa.315.2018.03.07.05.05.22; Wed, 07 Mar 2018 05:05:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=U9HgVS2r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754333AbeCGNEC (ORCPT + 99 others); Wed, 7 Mar 2018 08:04:02 -0500 Received: from mailout2.samsung.com ([203.254.224.25]:39455 "EHLO mailout2.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751151AbeCGND7 (ORCPT ); Wed, 7 Mar 2018 08:03:59 -0500 Received: from epcas1p1.samsung.com (unknown [182.195.41.45]) by mailout2.samsung.com (KnoxPortal) with ESMTP id 20180307130357epoutp02034853f8734829cef41e279c00d754ac~ZpRASFBHs1208112081epoutp023; Wed, 7 Mar 2018 13:03:57 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout2.samsung.com 20180307130357epoutp02034853f8734829cef41e279c00d754ac~ZpRASFBHs1208112081epoutp023 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1520427837; bh=zyniat2jNLqDgat7FFcJ30tCwt3r6PLvIcvtMQ16Oo4=; h=From:To:Cc:Subject:Date:In-reply-to:References:From; b=U9HgVS2rbI9GaST8s1y5ECwrxF4jbOiSoZTJ+T5Jgf33fVV2ttmPcmsN+4Hm8V0bD C++Xc34WsATIw7q/ksFQ8ivahgJBNL8I23B/XYsCWqRomfCn6aW4s4VfYRE/9W7P0B gPcjHEfWB4+TUgad/udAxAOcD6v00OlZsK1HRCeo= Received: from epsmges1p2.samsung.com (unknown [182.195.42.54]) by epcas1p4.samsung.com (KnoxPortal) with ESMTP id 20180307130357epcas1p43e25b550ccdc32369337177d77282139~ZpQ-5CZkv0755307553epcas1p4e; Wed, 7 Mar 2018 13:03:57 +0000 (GMT) Received: from epcas1p1.samsung.com ( [182.195.41.45]) by epsmges1p2.samsung.com (Symantec Messaging Gateway) with SMTP id 2F.3B.04136.D33EF9A5; Wed, 7 Mar 2018 22:03:57 +0900 (KST) Received: from epsmgms2p1new.samsung.com (unknown [182.195.42.142]) by epcas1p2.samsung.com (KnoxPortal) with ESMTP id 20180307130356epcas1p259bf7d0d6ce0f2b92125a1a4ea802955~ZpQ-cRt401567315673epcas1p2E; Wed, 7 Mar 2018 13:03:56 +0000 (GMT) X-AuditID: b6c32a36-ca9ff70000001028-1f-5a9fe33d0083 Received: from epmmp2 ( [203.254.227.17]) by epsmgms2p1new.samsung.com (Symantec Messaging Gateway) with SMTP id 26.7B.03826.C33EF9A5; Wed, 7 Mar 2018 22:03:56 +0900 (KST) Received: from amdc3058.localnet ([106.120.53.102]) by mmp2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0P58006UA1MJPE40@mmp2.samsung.com>; Wed, 07 Mar 2018 22:03:56 +0900 (KST) From: Bartlomiej Zolnierkiewicz To: Peter Malone Cc: Mathieu Malaterre , Linux Fbdev development list , dri-devel , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). Date: Wed, 07 Mar 2018 14:03:54 +0100 Message-id: <2367982.TLCx2xJjlb@amdc3058> User-Agent: KMail/4.13.3 (Linux/3.13.0-96-generic; KDE/4.13.3; x86_64; ; ) In-reply-to: MIME-version: 1.0 Content-transfer-encoding: 7Bit Content-type: text/plain; charset="us-ascii" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsWy7bCmrq7t4/lRBj/Wc1lc+fqezeJE3wdW i8u75rBZnN30lsXiUuMldgdWj19tc5k9ds66y+5xv/s4k8fnTXIBLFFcNimpOZllqUX6dglc GX+/vmcp2CNRcWXOVKYGxmahLkYODgkBE4kVc8u7GLk4hAR2MErM3reSDcL5zijx8uMlxi5G TrCiKfffMEIkNjBK3Ng9nR3C+coocez+NBaQKjYBK4mJ7avAOkQENCW+bTzDDFLELLCZUWLD wu+sIAlhgSyJ25dPgtksAqoSH04+ZwaxeYEa/lx8D2aLCnhJbNnXzgRicwoES3zb8QaqRlDi x+R7YMuYBeQl9u2fygph60icPbYO7DwJgTVsEgvvXWOFeM5F4sM7F4gXhCVeHd/CDhGWlrh0 1BaivJkRaP4eZoiaCYwSe9YLQdjWEoePX4Sazyfx7msP1EheiY42qBIPiburH7JAhB0lbp6N hITJVUaJLZf/MU5glJ2F5OpZSK6eheTqBYzMqxjFUguKc9NTiw0LjPSKE3OLS/PS9ZLzczcx gpOAltkOxkXnfA4xCnAwKvHwRuydFyXEmlhWXJl7iFGCg1lJhHfjg/lRQrwpiZVVqUX58UWl OanFhxilOViUxHkDAlyihATSE0tSs1NTC1KLYLJMHJxSDYxbbdz4Vh1Vc1Xhs482CnyrFX/h ZvU6UxafSeLfFf//f25sW9vnWv9TZO7stA8xc3zn6dhufvSw6DvzBOst5wpvvg8JYRMQPlhg MW1191cP72Nabw0WffG7bnZdK2XLFhG5VE37Tx/bVgQ8UG7T19sv9SJgy6N1vtuTK+X6BQQ8 YsLFdszUq1ViKc5INNRiLipOBADLNwGL/gIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKLMWRmVeSWpSXmKPExsVy+t9jQV2bx/OjDB4u1rK48vU9m8WJvg+s Fpd3zWGzOLvpLYvFpcZL7A6sHr/a5jJ77Jx1l93jfvdxJo/Pm+QCWKK4bFJSczLLUov07RK4 Mv5+fc9SsEei4sqcqUwNjM1CXYycHBICJhJT7r9h7GLk4hASWMcoceLdKVaQhJDAV0aJpd+q QWw2ASuJie2rGEFsEQFNiW8bzzCDNDALbGaUuPFpKTNIQlggS+LW39lgNouAqsSHk8/BbF6g hj8X34PZogJeElv2tTOB2JwCwRLz/y9lglh2lVFiynkziHpBiR+T77GA2MwC8hL79k9lhbC1 JNbvPM40gZF/FpKyWUjKZiEpW8DIvIpRMrWgODc9t9iowDAvtVyvODG3uDQvXS85P3cTIzBw tx3W6tvBeH9J/CFGAQ5GJR7eiL3zooRYE8uKK3MPMUpwMCuJ8G58MD9KiDclsbIqtSg/vqg0 J7X4EKM0B4uSOO/tvGORQgLpiSWp2ampBalFMFkmDk6pBsbKPK7tXgd81l/8MVW4Wi5PZdF6 y1k/THesY444ZHP/Q7SQb5Xmjr9OM08/nxrpq3X9l6XABc2oKB/TlYyb5lsk//3GpFjkVnBc 8LvEvTVbbc5ON1bZ9HNlL/MevvWrzq//ptLDYrnZ6UzffuHNmYyM8Vce/lj5X+wu72OdnxtP R2yVD+i0mqygxFKckWioxVxUnAgAhbCiwlgCAAA= X-CMS-MailID: 20180307130356epcas1p259bf7d0d6ce0f2b92125a1a4ea802955 X-Msg-Generator: CA CMS-TYPE: 101P X-CMS-RootMailID: 20180204141807epcas1p1039a2ae47bed656a1fd456bb868a182b X-RootMTR: 20180204141807epcas1p1039a2ae47bed656a1fd456bb868a182b References: <20180130203042.4797-1-peter.malone@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sunday, February 04, 2018 09:18:03 AM Peter Malone wrote: > Hi folks, Hi, > CVE-2018-6412 has been created for this. Is it possible for you to add > a note indicating the CVE number when merging the patch? > > I received the CVE number after the patch was created and ack'd, which > is why I didn't include it in the commit message. I queued the patch (with Mathieu's ACK and CVE number added to the patch description) for v4.16, thanks. > On Wed, Jan 31, 2018 at 10:49 AM, Mathieu Malaterre wrote: > > Hi Peter, > > > > On Wed, Jan 31, 2018 at 3:57 PM, Peter Malone wrote: > >> Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in > >> sbusfb_ioctl_helper(). > >> > >> 'index' is defined as an int in sbusfb_ioctl_helper(). > >> We retrieve this from the user: > >> if (get_user(index, &c->index) || > >> __get_user(count, &c->count) || > >> __get_user(ured, &c->red) || > >> __get_user(ugreen, &c->green) || > >> __get_user(ublue, &c->blue)) > >> return -EFAULT; > >> > >> and then we use 'index' in the following way: > >> red = cmap->red[index + i] >> 8; > >> green = cmap->green[index + i] >> 8; > >> blue = cmap->blue[index + i] >> 8; > >> > >> This is a classic information leak vulnerability. 'index' should be > >> an unsigned int, given its usage above. > >> > >> This patch is straight-forward; it changes 'index' to unsigned int > >> in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. > >> > >> Signed-off-by: Peter Malone > >> --- > > > > much better :) > > > >> v2: fixed formatting > >> > >> drivers/video/fbdev/sbuslib.c | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c > >> index af6fc97f4ba4..a436d44f1b7f 100644 > >> --- a/drivers/video/fbdev/sbuslib.c > >> +++ b/drivers/video/fbdev/sbuslib.c > >> @@ -122,7 +122,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, > >> unsigned char __user *ured; > >> unsigned char __user *ugreen; > >> unsigned char __user *ublue; > >> - int index, count, i; > >> + unsigned int index, count, i; > >> > >> if (get_user(index, &c->index) || > >> __get_user(count, &c->count) || > >> @@ -161,7 +161,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg, > >> unsigned char __user *ugreen; > >> unsigned char __user *ublue; > >> struct fb_cmap *cmap = &info->cmap; > >> - int index, count, i; > >> + unsigned int index, count, i; > >> u8 red, green, blue; > >> > >> if (get_user(index, &c->index) || > >> -- > >> 2.14.3 > >> > > > > By just looking at the code and commit message: > > > > Acked-by: Mathieu Malaterre Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics