Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2118232imm; Tue, 10 Jul 2018 13:39:19 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfq+5qvYeLSCBcI1z9ocrrrlV6rS99TXs9J4n6z0tezwhgZwe6h9P5OgYTPze6sF8aO58Qk X-Received: by 2002:a17:902:3381:: with SMTP id b1-v6mr26573951plc.248.1531255159554; Tue, 10 Jul 2018 13:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531255159; cv=none; d=google.com; s=arc-20160816; b=FcRKSEj0GNXckiJAHUaO2dPgsYZz+08u+qIo+9Okl7GE7x6c/S7J70d5EucqWuH4H7 qRtWg4FKcUPWQuGNG0dWk4IavRTKhhKLz43VUORpkpc7QUcFjBdOcmuN/1KPOkjQqmUu j4dv87fYF5c1UFNIPbm1xjlZQDkBzQ10Lyvl+frXzjRMZ2MIwLavZWxZcKmGGxDqtRLo JqwHDiDX7Bu4GqN85/SXJjHKaul/OZG7RIdJKNZzOiGy3y9WCU/wI3NuYVabYZWs474M vN5HNN0NpEfkCpes1N8I6D00v2v/V8mLu6wjDHbuQWs4gMTpb+rqN5g34CDb1oVnOZLV SxKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=JhNwQwbY5E2WgQywK3pdK45I/bDTI0gSh5WcKqcJ5kk=; b=lhSFN54MzKAnHWW6KJJdihEYj5hIKbCuhMNhvzvim6ePPlT4sYtg9o7qon28c5QY4f nRkGoIOFSWVPybDT3Tp74LOLLroAWqIY2F+6IwMjWLY8m8I/E9UnzSLPxP2GwZzFoJ8f zUY2rJQ/52MXxUgKDmni6211e+F66hk4qhkSs/6NK7r06gPDshv6dOhbu9oSYi5dsS+W q4+sWfzIrKFi8gLSJttUi7Zp3ZzWCc/8syc2koSxrluQTIE/xPrU303rmtK2h2QBWHug XDJ7eTSm7BXXbkZSlYuVzqccSKFScQXKwthlNHexAakbEB4cWrsdDadG59tqOUGEJxo5 DM3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Il58tFBc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 26-v6si16996934pgo.169.2018.07.10.13.39.04; Tue, 10 Jul 2018 13:39:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Il58tFBc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732771AbeGJUgK (ORCPT + 99 others); Tue, 10 Jul 2018 16:36:10 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:40235 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732290AbeGJUgJ (ORCPT ); Tue, 10 Jul 2018 16:36:09 -0400 Received: by mail-oi0-f66.google.com with SMTP id w126-v6so45186323oie.7 for ; Tue, 10 Jul 2018 13:35:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JhNwQwbY5E2WgQywK3pdK45I/bDTI0gSh5WcKqcJ5kk=; b=Il58tFBcTYhsmWPMJAuFA/NSsmKyl5ZpJ7+Y84duiwYl47+bvpJ/qb2iBpPhLIinYo wiapk0mM3rWFczjPqeb81KuynlKu6UiVsVIcuLMh/XvynlxFiE9a3sZ7+6dm28Hvexz1 Ix35WsoY/p2F72BK5PtTkfQnRTH/xUXz/AePK705vfwwInsLA9una0xxEMdP+mUX60qo Xh+Mpx3/vUibdG6RU8p2qmWsw2SfMLdYRJpvz2yywESiI/u+n+voDpas2r8AmBc+qUHn zcCOwMdorLmLGUnidc84IU4kqzLgUMMazzbFvChXWd6NR0O8XMXzP20fAol2dCgy3m0C zqRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JhNwQwbY5E2WgQywK3pdK45I/bDTI0gSh5WcKqcJ5kk=; b=OoQ6OMPINAlQaUjuWtVzWsRclWbv7vOstcMaP+wSB2D651b6CC8aKYtEklGwPUN0+x ZQG+vIAXhqiSPo+3ncumUprD+0LyJf+WFecF/JAC3hPm69oW44q0WO3TymwS/3oJKb9G lTIRBw6Mxw6EUodE0DlDRnfZG31XoDbeFeS9rfc7yp6okfxr81176cjZGIrT8qDOfK1W eydPNzkLRbcqT0BX5zXOtP+H5uVCtrPEKuGvxkSJ2ecl+xnBjEXFhHbb3U3UEWCzmDy+ IX6+wBn+XV9vB/uZmDsYDnQ1VZvQ1z54ToEuwtfNrKRvUnkhUeocjiycUYdto3tTRMkB 1Mtw== X-Gm-Message-State: APt69E1XNecrMTGj1Ypv55MoiB40Y6Z4EUv5P8OygppHpC15oTp7/mIJ F96LY9mtcLCAt0r4DLqaZmdqG72QJsLXvRkBzfx5gw== X-Received: by 2002:aca:5004:: with SMTP id e4-v6mr31476113oib.111.1531254926260; Tue, 10 Jul 2018 13:35:26 -0700 (PDT) MIME-Version: 1.0 References: <20180707015344.146672-1-jannh@google.com> <20180707082926.66zbedgq5zqjfbjx@var.youpi.perso.aquilenet.fr> <20180707140343.GA7052@kroah.com> In-Reply-To: <20180707140343.GA7052@kroah.com> From: Jann Horn Date: Tue, 10 Jul 2018 13:34:59 -0700 Message-ID: Subject: Re: [PATCH] staging: speakup: fix wraparound in uaccess length check To: Greg Kroah-Hartman Cc: Samuel Thibault , William Hubbs , Christopher Brannon , kirk@reisers.ca, kernel list , speakup@linux-speakup.org, devel@driverdev.osuosl.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 7, 2018 at 7:03 AM Greg Kroah-Hartman wrote: > > On Sat, Jul 07, 2018 at 10:29:26AM +0200, Samuel Thibault wrote: > > Re, > > > > Could you review, test, and resubmit the patch below instead? > > > > Samuel > > > > > > If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing > > the loop to copy as much data as available to the provided buffer. If > > softsynthx_read() is invoked through sys_splice(), this causes an > > unbounded kernel write; but even when userspace just reads from it > > normally, a small size could cause userspace crashes. > > > > Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth") > > Cc: stable@vger.kernel.org > > Signed-off-by: Samuel Thibault > > You forgot a "reported-by:" line :( > > also, I already applied Jann's patch, so could you either just send the > fixup, or a revert/add of this patch once you all agree on the proper > solution here? I think my patch was garbage (as both Samuel and Dan Carpenter's smatch warning pointed out) and should be reverted. Should I be sending the revert?