Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2116545imm; Tue, 10 Jul 2018 13:36:59 -0700 (PDT) X-Google-Smtp-Source: AAOMgpc80uRyiKb199asiSL8/9WThCT9SB6fN8D0I4ihLKL6thL6dreX0ngz+hMUy0cWK47R5hoB X-Received: by 2002:a63:d10c:: with SMTP id k12-v6mr9926465pgg.49.1531255019353; Tue, 10 Jul 2018 13:36:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531255019; cv=none; d=google.com; s=arc-20160816; b=mpXOhMJ1B+7kKppwMt9N0D5Xng8FZepxCJ17rbKiQe5jijCXGc8SzytQireh3g//3b NUGZXa4nfYS7t/o99ogNQfJssqL76R8X40wNQcWS1BKptfbVigzNkA1DTZG68f68T/Ls mQXTUuxnDJe2YkIuy9TyzYYbGr3d1znM6pvDyFiLAWNMMNB9LZjOdubTdL+doYp6MMO6 EXkiaeUpKrmbDxLVI0DGgfEqfqv9guzB/dva8h9fsk1vB+EKEAR2BT+WU76kHK0J7jsq cEiaDBJ7OqXe37Eg/G7YH/V+/dw3esk80wFk6BAB9CLNN0+isIO7+5jtytcsO+k/JrJ6 xpLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=V2smU+iuYemdHkwNaw9p0fSO87b51nhzlegfg6X24FU=; b=a/3RdfKS226cruSJl4P6Fb809JD77wMmK33Aza6bRttNnGaNqSNGZrNc5G7FTg6qm8 7L8/Z6fS5kOb3KLxxFYYrzhuaozrqU3CswP9udTInA6dql6Wt9yvosoLW6RXHzbTJVgL gYXDUqyOTH6oeerHrSqBMoqFclEfKiq/70XssRkOE2in/RF8LB9yCrrYRBSqaunzSSp5 0plWIC3dDBVHAt/q3WQCDct1pGJnSCoERpR7EhHya6QDaV5dfmpsUd/xkIkqgAYqVRbw CqdzauV0cGdHMQ1k8sNgKtlCSXPObLU/evJOVVud7FU/GaIj/MliDJZlL9pLU42MqNbN c6gQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="qcnO/Bw8"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u21-v6si12950212pgm.230.2018.07.10.13.36.44; Tue, 10 Jul 2018 13:36:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="qcnO/Bw8"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732548AbeGJUfo (ORCPT + 99 others); Tue, 10 Jul 2018 16:35:44 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:46598 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732290AbeGJUfn (ORCPT ); Tue, 10 Jul 2018 16:35:43 -0400 Received: by mail-oi0-f65.google.com with SMTP id y207-v6so45185341oie.13 for ; Tue, 10 Jul 2018 13:35:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=V2smU+iuYemdHkwNaw9p0fSO87b51nhzlegfg6X24FU=; b=qcnO/Bw89+eU4jMfLC4RPXqdl2TAYZtPTwWWXugMCp4akSMDAa5LB79QVnRU3gL+MD xCLNb8PfSDuNg+m1PtzKm6Xpkt4Dy9zi+aXzPlFmQFqARjnbs2ppy0lbJL9GRAnDqV0+ NdWPiDHTAS6Hb0mbe6m13U2cCteWmWf4W6XD6bnXS9YJoOeklHBkdIk9xNYBDK1kP2ky 02fvcWujGY/v4ZIWgQIWnD3B2i447t97lCfJjrHCIvzN/4sB4VF5oRbZONcA3LG7h7Ae dZG79aaOpJSCbarN4Pq5rpOZnj/7zWbF76ZG51e6xiohcnBS8KbaleU+S5JUd5fi1xND AyZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=V2smU+iuYemdHkwNaw9p0fSO87b51nhzlegfg6X24FU=; b=ZXCQwSOm/k5sHKMR04/1iUpJZlxGDJCW7h9CLevRcCOQK9W59F7rQ3uPnDG84oJwwj S0vCSCWo+tQBjrNW5/NyIBLk/525+0qzxchUR3E91ctjlYoy5t2N7qe4IgMnnMLYLzyI /2SIXhm05EgHXC/JjgcrlwCpR3Gd9+vRZaLJagxgVCz0ptWMxMt9mMa8MTKUelF8WzFL w1/l645EON54VaDOJpbtu1yVrKmQBIKwcmPLAlpFyo/0OGz+uND62CG/l3oqmV58e8du XoU4bIjWQV6vOuTDhlP2aU0UYd6WcAC7Hh1wC5DtUJ6JWjoXXFu84snYLlrGrHpUUyIB 7/LQ== X-Gm-Message-State: APt69E1EMhEBfiH0L5c8nMECSZYHUuBk7skKzffzjxgqYMl8jdsuz1+C b1bY22dnR6nr7NBnefnhc56r6mGbOLic/431wbbp1w== X-Received: by 2002:aca:f383:: with SMTP id r125-v6mr18104386oih.6.1531254900492; Tue, 10 Jul 2018 13:35:00 -0700 (PDT) MIME-Version: 1.0 References: <20180707015344.146672-1-jannh@google.com> <20180707082926.66zbedgq5zqjfbjx@var.youpi.perso.aquilenet.fr> In-Reply-To: <20180707082926.66zbedgq5zqjfbjx@var.youpi.perso.aquilenet.fr> From: Jann Horn Date: Tue, 10 Jul 2018 13:34:33 -0700 Message-ID: Subject: Re: [PATCH] staging: speakup: fix wraparound in uaccess length check To: Samuel Thibault , William Hubbs , Christopher Brannon , kirk@reisers.ca, Greg Kroah-Hartman , kernel list , speakup@linux-speakup.org, devel@driverdev.osuosl.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 7, 2018 at 1:29 AM Samuel Thibault wrote: > > Re, > > Could you review, test, and resubmit the patch below instead? Er... you mean, you want me to take your patch, add my Signed-off-by below yours, and then send that? > Samuel > > > If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing > the loop to copy as much data as available to the provided buffer. If > softsynthx_read() is invoked through sys_splice(), this causes an > unbounded kernel write; but even when userspace just reads from it > normally, a small size could cause userspace crashes. This looks sane to me. I've also tested it, and it seems to work. Some random thing I noticed, but I don't think it has anything to do with this issue: In some runs, when the console is repeatedly printing "Debian GNU/Linux 9 debian tty1\n\ndebian login: " in response to me pressing enter repeatedly, /dev/softsynthu (read in 1-byte steps) seems to return things like "Debian GNU slash Linux 9 debian tty1 \n debi login: ". I don't understand why it sometimes says "debi login" instead of "debian login". > Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth") > Cc: stable@vger.kernel.org > Signed-off-by: Samuel Thibault > > --- a/drivers/staging/speakup/speakup_soft.c > +++ b/drivers/staging/speakup/speakup_soft.c > @@ -198,11 +198,15 @@ static ssize_t softsynthx_read(struct fi > int chars_sent = 0; > char __user *cp; > char *init; > + size_t bytes_per_ch = unicode ? 3 : 1; > u16 ch; > int empty; > unsigned long flags; > DEFINE_WAIT(wait); > > + if (count < bytes_per_ch) > + return -EINVAL; > + > spin_lock_irqsave(&speakup_info.spinlock, flags); > while (1) { > prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE); > @@ -228,7 +232,7 @@ static ssize_t softsynthx_read(struct fi > init = get_initstring(); > > /* Keep 3 bytes available for a 16bit UTF-8-encoded character */ > - while (chars_sent <= count - 3) { > + while (chars_sent <= count - bytes_per_ch) { > if (speakup_info.flushing) { > speakup_info.flushing = 0; > ch = '\x18';