Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp484070imm; Sat, 7 Jul 2018 01:30:25 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe24OuAo6kNY4VbWRg9VxAok4z6qxO3/8M3GfpR9R+JvMGxh3RHDjhmOSQOmFoR4P2Tf9Qq X-Received: by 2002:a17:902:b48f:: with SMTP id y15-v6mr13144649plr.261.1530952225075; Sat, 07 Jul 2018 01:30:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530952225; cv=none; d=google.com; s=arc-20160816; b=g5XkOjbs2nnOF31lg+wmwdyEq+DTqo4g/bPowuKhvjITS1yOlPU0YB6kDpl+1hP1mC PZA2/T7MMURVnqEA5gKU7yl0ej6oZwf/lTchNzIuhiUbxfDyX9u1ZKBaJu6Ml2ZwaINL rv1B8fasuu9nL3M+VP9pb7MBbEiryjwQOiz5vaHf+vIakZhUnh3qnBnschWu7Con5Pyi MKSceL270fIEwbC+WA/CofJoEAPk0NqcTwiCx0V1JpnSLPeSK5WVxJLSE99fuNEkY6RJ 0Rp2qLo+YkT9/Gx/dswCKc5JMTIwmS3mAAMWPu2k//wMuxFYugFjxj817HwisIsNFd55 KwiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:arc-authentication-results; bh=D/DoqsSZPBxUcGtX1F6dFbM9VsaGc2AJGU/DShtok1Y=; b=LAlXrNstqiV/DK+aDDDYFLtpSBIM1aI8BJL8aJcmJG11BNoeenTq0FF5gIeAGOTcU3 NgGw+EtNIcqJYo4VArwEG5jr6WPRA/9K/8arvGGjifJleqAMbeLwTEe+UkiLOd+Ze8tI 3erF+Rre99cdbbaRfczhVmZjuN3BOh3ik3julEwDqudpnoXVm+A+/eBjPiPpI5dbLOYs 1Q5vaHDp9OrRiXMaLVzW+miV9zOAq007v6vqNKiKgneaKgdPZyoNlRoAxAzUQLforsWY FQfRhevfmqu4yg4Qv/UeTm9AvVPLut58UEJpxEUtRZZuqgrS8DCio3MbuBpii2NzijSa F3aQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t13-v6si9471335pgo.640.2018.07.07.01.30.10; Sat, 07 Jul 2018 01:30:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752947AbeGGI3b (ORCPT + 99 others); Sat, 7 Jul 2018 04:29:31 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:56220 "EHLO hera.aquilenet.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751964AbeGGI33 (ORCPT ); Sat, 7 Jul 2018 04:29:29 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 03287CDE; Sat, 7 Jul 2018 10:29:28 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swi8oudA1U7S; Sat, 7 Jul 2018 10:29:27 +0200 (CEST) Received: from var.youpi.perso.aquilenet.fr (dhcp-64-205.ens-lyon.fr [140.77.64.205]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 3BB5473E; Sat, 7 Jul 2018 10:29:27 +0200 (CEST) Received: from samy by var.youpi.perso.aquilenet.fr with local (Exim 4.91) (envelope-from ) id 1fbias-0001bB-Ox; Sat, 07 Jul 2018 10:29:26 +0200 Date: Sat, 7 Jul 2018 10:29:26 +0200 From: Samuel Thibault To: Jann Horn Cc: William Hubbs , Chris Brannon , Kirk Reiser , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, speakup@linux-speakup.org, devel@driverdev.osuosl.org Subject: Re: [PATCH] staging: speakup: fix wraparound in uaccess length check Message-ID: <20180707082926.66zbedgq5zqjfbjx@var.youpi.perso.aquilenet.fr> Mail-Followup-To: Samuel Thibault , Jann Horn , William Hubbs , Chris Brannon , Kirk Reiser , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, speakup@linux-speakup.org, devel@driverdev.osuosl.org References: <20180707015344.146672-1-jannh@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180707015344.146672-1-jannh@google.com> Organization: I am not organized User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Re, Could you review, test, and resubmit the patch below instead? Samuel If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing the loop to copy as much data as available to the provided buffer. If softsynthx_read() is invoked through sys_splice(), this causes an unbounded kernel write; but even when userspace just reads from it normally, a small size could cause userspace crashes. Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth") Cc: stable@vger.kernel.org Signed-off-by: Samuel Thibault --- a/drivers/staging/speakup/speakup_soft.c +++ b/drivers/staging/speakup/speakup_soft.c @@ -198,11 +198,15 @@ static ssize_t softsynthx_read(struct fi int chars_sent = 0; char __user *cp; char *init; + size_t bytes_per_ch = unicode ? 3 : 1; u16 ch; int empty; unsigned long flags; DEFINE_WAIT(wait); + if (count < bytes_per_ch) + return -EINVAL; + spin_lock_irqsave(&speakup_info.spinlock, flags); while (1) { prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE); @@ -228,7 +232,7 @@ static ssize_t softsynthx_read(struct fi init = get_initstring(); /* Keep 3 bytes available for a 16bit UTF-8-encoded character */ - while (chars_sent <= count - 3) { + while (chars_sent <= count - bytes_per_ch) { if (speakup_info.flushing) { speakup_info.flushing = 0; ch = '\x18';