Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp290375imm; Wed, 11 Jul 2018 02:29:05 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd8JIbu/y6Zr2nPOnk3tSs6h84y5D+d2Ymiz1AH3Ykji2VdTyn7KFCKgS9PDjfOXDBa3EXF X-Received: by 2002:a63:9b19:: with SMTP id r25-v6mr8255885pgd.44.1531301345395; Wed, 11 Jul 2018 02:29:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531301345; cv=none; d=google.com; s=arc-20160816; b=iVZ49870RmSGm36p86SOTcYFoduVerP7mGvfWhpFNfsSldd5+r3GI3sUcUnwF6VSVB X6ifuYicU0E2DKg0avC88lVZUZIjQSIc35zGLx8v437QK5YMFMqAO9i+0MkaXLdrE3yn qZfLtY5geL0TXqkxwa4L1He7m5yLMb8czcUwHiMOiDeM6LSSwQ6EzJFMIpjCgAM+p4Oq zvCWdQ/cIsqZYtPq6Jx7ji4CULsaBQ2uRgPT0lu0BAZHF0YNZ/BlN4LOjBHBM8C7LhHy QxxO2M/7QfR6MqIgFSesXMSQ2543EUwEcmIlmCER57qxJ/vkEewsYGyOSZ4Ofd6CB3Am nWxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=2A1s5KnUhq/oUgYOP/MZMATwF1vPcKzNG8RABB8d7Jk=; b=Jn1bYNoUWIcDCWZ/4tTd87vG0syqb8JjlaywRN6CYXsK5k8KOOhySs2oZrZN+yuT6K BOPNwJESN8MIyOu4s6B3JgjrhdHqiz9BR9+yeqhks2By2VJ2EWxl7S9vqbz6YGtAG80+ SMAxyXdyRB45bB+pgurt/FwacAD/hezuqWdp7ZywO3PF9e8RMPYW3rWCDEybh5e9u+AJ nYoCEF2JB98bVSNEDnGbHgj2YPFMrnLs3sQ42CFhbxEO/IHpuX7rmtKY1h17F/6WUuq1 l393vZMDu2pqnsfqkrKeGcVy5fEA6vu5Lofk4CmSawdAdQOZ//HCDMTPTFsVl2PxM11O Iezw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n72-v6si9690474pfk.14.2018.07.11.02.28.49; Wed, 11 Jul 2018 02:29:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726775AbeGKJbG (ORCPT + 99 others); Wed, 11 Jul 2018 05:31:06 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:57822 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726392AbeGKJbG (ORCPT ); Wed, 11 Jul 2018 05:31:06 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3957BCF2; Wed, 11 Jul 2018 09:27:43 +0000 (UTC) Date: Wed, 11 Jul 2018 11:27:40 +0200 From: Greg Kroah-Hartman To: Jann Horn Cc: devel@driverdev.osuosl.org, kirk@reisers.ca, speakup@linux-speakup.org, kernel list , Samuel Thibault , Christopher Brannon Subject: Re: [PATCH] staging: speakup: fix wraparound in uaccess length check Message-ID: <20180711092740.GA3972@kroah.com> References: <20180707015344.146672-1-jannh@google.com> <20180707082926.66zbedgq5zqjfbjx@var.youpi.perso.aquilenet.fr> <20180707140343.GA7052@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 10, 2018 at 01:34:59PM -0700, Jann Horn wrote: > On Sat, Jul 7, 2018 at 7:03 AM Greg Kroah-Hartman > wrote: > > > > On Sat, Jul 07, 2018 at 10:29:26AM +0200, Samuel Thibault wrote: > > > Re, > > > > > > Could you review, test, and resubmit the patch below instead? > > > > > > Samuel > > > > > > > > > If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing > > > the loop to copy as much data as available to the provided buffer. If > > > softsynthx_read() is invoked through sys_splice(), this causes an > > > unbounded kernel write; but even when userspace just reads from it > > > normally, a small size could cause userspace crashes. > > > > > > Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Samuel Thibault > > > > You forgot a "reported-by:" line :( > > > > also, I already applied Jann's patch, so could you either just send the > > fixup, or a revert/add of this patch once you all agree on the proper > > solution here? > > I think my patch was garbage (as both Samuel and Dan Carpenter's > smatch warning pointed out) and should be reverted. Should I be > sending the revert? I'll just go drop it, thanks for letting me know. greg k-h