Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp480223imm; Sat, 7 Jul 2018 01:24:15 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcK7e5McAjbs1fIIqXolxDfaAJGbO8BVmGR9MJf1P+08OSNUGk8ONEdVy3LtxiWSugN20ck X-Received: by 2002:a63:5c7:: with SMTP id 190-v6mr11762594pgf.385.1530951855196; Sat, 07 Jul 2018 01:24:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530951855; cv=none; d=google.com; s=arc-20160816; b=VOD71SNqrdbT3cL0NH1TFyRx5tnIj5fbxszi7XobxAj9hm79lEUgdtHT0nsr80b+lZ OhjRKsELwCkV3cdmwULU3dC8Xtg+Xp6LoTusqzV5uHwtFA1yWtAtFaZlfqhQg5HGVBVi qHKaa010UWdoFnKCES8VGBgq+46ejwE1H331MHN/fIThXLWIwA93ydbo6TNSxbK7+vyP ugR/0hN7+fqHciRgZMsXgdm/F5cTHaNyc2PoRyyicI+e0lZqOzcvbITO1J4rib8G7/wT yAGui7ar6af0Ct0wk4El77h9kwCx99DhTpJr0AVAeDE+qjPEDVEZP2u4uwk2DlDIUrO/ D2QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=1kQhWf6wcAxnbXg2tkIAqX9L2qKCRWaIGDggFEKLUf4=; b=AgNoUUrvFmqo2b4+G5Fj/lfQSDvaKR1k8FCkkNBTydpcpEPxn3yUZWsKfSJCAPhWbe 0hMsOFWyKgC3vx1KkmBZ5vVFHEZwFLeiuxCnGfj/Ifk191ylph/iB6NBzjeM6/nEASci IBUYrUvFIAYoyWvCbxt1Nc4BU4f//Ka1e4xu20eqSii8xR1Xp4zQmIjQIn/M/yITC3DF 4NXFAd76Dp2asx8kubhuJ7GDIz/AnpMGqKOIW0am+2hDVjUsGxWVmvj9bs4qRytHvQ9+ BjQVQnsunXVV8fivjFheaY7mZkMV/1Uw5+LQE6jqZ8q89Ckp4VGIzvTw76injgrXMZi0 gLGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="p/3uhpeX"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p129-v6si10261918pfb.145.2018.07.07.01.24.00; Sat, 07 Jul 2018 01:24:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="p/3uhpeX"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753242AbeGGIXW (ORCPT + 99 others); Sat, 7 Jul 2018 04:23:22 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:37383 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751964AbeGGIXU (ORCPT ); Sat, 7 Jul 2018 04:23:20 -0400 Received: by mail-oi0-f68.google.com with SMTP id k81-v6so27657017oib.4 for ; Sat, 07 Jul 2018 01:23:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=1kQhWf6wcAxnbXg2tkIAqX9L2qKCRWaIGDggFEKLUf4=; b=p/3uhpeXrXJ67OfxDgfd6PVO2xHZ8PD2jAMkJ0kzFH9XNWgUxvLPvloJH1IIDkA74w p51fXhuz/NwNwgBlc4JcEE1Erbpca8ohNmVdsPqbK+ugUIREwWU1IyZkIzxlz6rIxQUO FRXnifLAGmvo4xwFG5FjV1KkU5kp/agmnpot4qEN0AhoC2yPfKE12c33m3qn1uAfRCfh OszVhSjqcIbrEJ6VZlvS0KD/ibYJY9EhB8OrFMzjXMtQu6c8UQ4VITPd5OUp0z2wAvsY tsqDlJ7T3iUE0jRdgkPbDuzLRerT9UyJ6tU8xAqKpvl1z9js0fpdaJYQEb2S1+UrZNJn HJzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=1kQhWf6wcAxnbXg2tkIAqX9L2qKCRWaIGDggFEKLUf4=; b=gJ9EvqxbuWn/ZA6tKT8zj+bRHgB/oBMxl3XSwRlTptvjVk1RpsKyUPAcJrYHqXgrBQ vCZrNqk564Vht63KRoJ8HR0UFqL2FXDzzEslJO7gYJ3Cob8MAkKvX1IVygWIlIPZ01By gxlITJ3RxXeVdCTYgZk5/E8VrCPQRu8qBTUj8AzuEsTSIQ9Y3BQ83TyVixekiKx1cDYr /mzrCs7cFd2VnUiILY3rzC5AAEp4wv3ul+JWWYRdcN9xj4KDauv376ghlQBtTqnvbgJ3 w2vbkiFXhlPS1cneMWOrNEpRjejrvq4UmCJ9jQ9I448SznFZ3tMBrv+Lk+7iySudDzBQ ZmIQ== X-Gm-Message-State: APt69E2VtXblqZRGtZH8ZOuFOr2Fzmuxz80DOCPZed9cCXeBqpIhqkpV iZfaAHbCEa3fd6WwHIt/IYkh2gWNjejJbkJDGVxBrw== X-Received: by 2002:aca:c42:: with SMTP id i2-v6mr13394972oiy.219.1530951799119; Sat, 07 Jul 2018 01:23:19 -0700 (PDT) MIME-Version: 1.0 References: <20180707015344.146672-1-jannh@google.com> <20180707081347.czde44j6rjepjpkf@var.youpi.perso.aquilenet.fr> In-Reply-To: <20180707081347.czde44j6rjepjpkf@var.youpi.perso.aquilenet.fr> From: Jann Horn Date: Sat, 7 Jul 2018 10:22:52 +0200 Message-ID: Subject: Re: [PATCH] staging: speakup: fix wraparound in uaccess length check To: samuel.thibault@ens-lyon.org, w.d.hubbs@gmail.com, chris@the-brannons.com, kirk@reisers.ca, Greg Kroah-Hartman , kernel list , speakup@linux-speakup.org, devel@driverdev.osuosl.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 7, 2018 at 10:13 AM Samuel Thibault wrote: > > Jann Horn, le sam. 07 juil. 2018 03:53:44 +0200, a ecrit: > > @@ -257,6 +257,8 @@ static ssize_t softsynthx_read(struct file *fp, char __user *buf, size_t count, > > 0x80 | (ch & 0x3f) > > }; > > > > + if (chars_sent + 2 > count) > > + break; > > if (copy_to_user(cp, s, sizeof(s))) > > return -EFAULT; > > Err, but then we have lost 'ch' that was consumed by the > synth_buffer_getc() call, so the fix seems wrong to me. Oh. Whoops. So that means I'd need to first synth_buffer_peek(), then synth_buffer_get() afterwards (and discard the result that time)? But there are also no locks held at the moment the code is in there, which could cause that approach to lead to inconsistent results... do you want me to resend with synth_buffer_peek() and an additional mutex that is held throughout softsynthx_read()? Or should I rewrite the patch to be simple and just bail out on `count < 3`?