Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp1894933imm; Fri, 6 Jul 2018 08:19:02 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfrfri2+v2+554WX5/alEL/UfGjdBrE7RCAHzTLBJXGL+cq3/N3CrmedFm7nIc0Fwn2jmhn X-Received: by 2002:a17:902:7d82:: with SMTP id a2-v6mr10722978plm.202.1530890342781; Fri, 06 Jul 2018 08:19:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530890342; cv=none; d=google.com; s=arc-20160816; b=sDaGzQUQodJDF8JfpXehebeppyaDe/+VZbevV80r8JWXRoJmaUKmQyOvt4BAfKEOBe xwN+tyMnVBlMZG0Cyo1RGo3GXy8pN72wD4SrFLW0pJokt87jwVqKlRuCGO9Eegxg8LnE DaEjRy73oPuNNe3MTYGB2rw2z8dUPSWLT6gnTWL0jn+TwR4AmPDZOraVyyy6OAuJwTDK fWWSEGXovGf9bJyyozGyQTxTqm1VNacB93356z1FHk6CPpvEKokQy2QQLz0AZhsTM1wU CKKLyoqJ0EbPyHhbj7Xif3Akj7mdUzBfyO+Fh0jA9uzOt88qwE8/IKJ80U6WPKSxNwEJ alPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:message-id:date :mime-version:dkim-signature:arc-authentication-results; bh=MRaE8D/X/qaIGQSG+GECxYL3MgyJE3KC232lcqNYOtc=; b=0zLD5fqh2x63MyRJUMh9AUQDbqTqmKvjX//O8zL27CAMgDxKS3V+hs4KvGvrH9IyON L/Cfr9BhdX7sEwrVbqeKeECY92r/YS6ER0hPVWW3i0cVTCtAej70spFpJ7vM8Op/erfr jpKenYNAqdY1j8wa52+K0JmmxsV8Glh0TRo6iNp/gEtiiJnlERkCfc5oNspvgxAuegsX lK3edbLS8yUh+GqLc/zKK+srOybQAdTZwz6rd28JvEffSlwA8Nx+v0flixBeEPaKxLE7 6cOy3oMehnwXPKZfnSI2aARAV0l410TocJZLHvJteYjvWoOscXpmV8DXsYZm9Wlh8QWq fBqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jypCqXAz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p84-v6si2676590pfl.17.2018.07.06.08.18.48; Fri, 06 Jul 2018 08:19:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jypCqXAz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932974AbeGFPQ5 (ORCPT + 99 others); Fri, 6 Jul 2018 11:16:57 -0400 Received: from mail-yw0-f202.google.com ([209.85.161.202]:45584 "EHLO mail-yw0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753759AbeGFPQ4 (ORCPT ); Fri, 6 Jul 2018 11:16:56 -0400 Received: by mail-yw0-f202.google.com with SMTP id y126-v6so10189290ywe.12 for ; Fri, 06 Jul 2018 08:16:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc; bh=MRaE8D/X/qaIGQSG+GECxYL3MgyJE3KC232lcqNYOtc=; b=jypCqXAzaocvxG9hwcwvfRfUW5IIel0WSV1jlshBeGm96DQzcCFEDvfcX99LIhjgg0 RBkD3tP0lIvP7nfOoWQmbJLe9FFvv8D4hEckHXR67MQEo9DZeDEa90YnhHqme9sWc9Ul ym/xBLKrUWZrEy0Umbj0iy95SY3CTtgvN/CCUuWyE+y6Ja6OpKdcSaNb9TJH+Z+Eq1P7 cN1UfRiO7N5PYGbVyDAkQ+dDjtRtws3Z6tB08zU46ZmqH4Y/AO6gvCvyvBFg7Ld2OM4G sbx1iUMchElDNzOe2FThd973aCKZj/T++HKCC0Rw0c1B5Lh6jx1zE9IUzlPeyYcIvkGa PkBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=MRaE8D/X/qaIGQSG+GECxYL3MgyJE3KC232lcqNYOtc=; b=XO7hahMC7aNYFyMlxUF65cNTlPnPq3k5zEkwv6gcGE8I4r7ntbydXdxUAtlyxyHghf yBrgw37+P+Y/ER09zOHGcw+4+jgABrbkP3D0yEPQgfilFakS/5tJvM6ZWbQr020BQvcY BAnlp7drgIg5S4C4aRVb3DdA+2LnLT0zW2CcJ/NVYs8tzG79FC0QztUl+4E5eGUAkvJ/ GVQaWAZFhxqsop+vikvco7/I1seb7q6SL9QE8I4XvfVL11gVEBg3oXnQKqZJJU4C7iLr 15dYtX0UfdGTv9PdEAoK6kY7AWlEfkhNUw9YYO4dtOrgcO49DhrXcPW9BtPFmlhzGrVQ PuPg== X-Gm-Message-State: APt69E0W5gf6E0kP9dGLCAXLvDwK3BYIWXf8DJ0c2UsSHN26h5KI8YQF s7xXoddiVTi10Wl8weXNeOfs7RHwiA== MIME-Version: 1.0 X-Received: by 2002:a25:9b02:: with SMTP id y2-v6mr3185004ybn.11.1530890215341; Fri, 06 Jul 2018 08:16:55 -0700 (PDT) Date: Fri, 6 Jul 2018 17:16:49 +0200 Message-Id: <20180706151649.31119-1-jannh@google.com> X-Mailer: git-send-email 2.18.0.399.gad0ab374a1-goog Subject: [PATCH] firewire: nosy: don't read packets bigger than requested From: Jann Horn To: Stefan Richter , jannh@google.com Cc: linux1394-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In general, accessing userspace memory beyond the length of the supplied buffer in VFS read/write handlers can lead to both kernel memory corruption (via kernel_read()/kernel_write(), which can e.g. be triggered via sys_splice()) and privilege escalation inside userspace. Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") Signed-off-by: Jann Horn --- No CC stable because this device shouldn't be available to unprivileged code by default and should be pretty rare. drivers/firewire/nosy.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c index a128dd1126ae..732075fc312e 100644 --- a/drivers/firewire/nosy.c +++ b/drivers/firewire/nosy.c @@ -161,11 +161,12 @@ packet_buffer_get(struct client *client, char __user *data, size_t user_length) if (atomic_read(&buffer->size) == 0) return -ENODEV; - /* FIXME: Check length <= user_length. */ - end = buffer->data + buffer->capacity; length = buffer->head->length; + if (length > user_length) + return -EINVAL; + if (&buffer->head->data[length] < end) { if (copy_to_user(data, buffer->head->data, length)) return -EFAULT; -- 2.18.0.399.gad0ab374a1-goog