Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2336723imm; Thu, 11 Oct 2018 08:43:12 -0700 (PDT) X-Google-Smtp-Source: ACcGV62AlciPcf7KDryxsEAZbEu0Y7pCg6kcMliVOI8+tFU1UamkTD323Ic1yMIM7gc2YkKbSVnk X-Received: by 2002:a17:902:76c3:: with SMTP id j3-v6mr2063752plt.339.1539272592022; Thu, 11 Oct 2018 08:43:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539272591; cv=none; d=google.com; s=arc-20160816; b=wSxOSJUDn6mY8FsV6xuy+gcaQGto+ITxBvdRTajLyYz31YX4LohLdG/mNmMBxZJndO P5m5XUlcWi2zOArqqt+Z1hn7yoiPxmhkUj6Cizlfg3m1iawn0/lvDYWc/e2kwpNXQo1P XHKventHPW0yJFV5hfy8qWbjPleI5hMhd85hhn+vf99ghDFud5eQRW9eL/D45+57+vlg AMwdSGQn+Q9QMzH0gnaGYA04yFFpZAL+g9OC82g+0mwl4FJWDXhBw+c2wKBWXyk71gKz EV4EfJ0OOYtTEmXcLdprsI+YEkkLnSqhT9AQlUjEGnKOeFdrWjhH+NEo2kiK4vuqIUPg zKCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wFkDO48qCRUlS8ZsrOy68yaf01/KL7tVKM2BWt2s+kg=; b=LO195YFWvGEw8nVs0fCvEwyrSA8eSEI06qbwcB82sTpLm7mcnANqXxn16bMV3j5G78 2yeyviB4W+WT3sDcRa9n03rAnNTFLqt948P0+IywoIOMLXQ2jLQ9+J990JSesYdB0QNa uVs879cyyIUsiPOyfxZMv4GhgQ46XYXAxnsMprHHClTDE6UOa1th5IZMF+TwyFgRa5G+ AIQnkG8kjVXskA8QsJRG/8juFG+cnEitPLxts74liCJDaqKxn3PAKmSlDaloFn3VPHpO tHA7HYiqz6q4ZdW5yaMD97PikJYnNBdbpeSQDcSbP98pwp8Gq6/SDbtCmTbt1vTR2NCB 1V2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=txmoH1LO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c6-v6si27103788plr.91.2018.10.11.08.42.57; Thu, 11 Oct 2018 08:43:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=txmoH1LO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730605AbeJKXJt (ORCPT + 99 others); Thu, 11 Oct 2018 19:09:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:40790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726700AbeJKXJs (ORCPT ); Thu, 11 Oct 2018 19:09:48 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2E2E721470; Thu, 11 Oct 2018 15:42:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539272524; bh=1YIqZKG2m+MGCygTXlNoAKaV24soMmWvz/reA6GWnZQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=txmoH1LODtLDbDCZbb6F0M3lxayauhwzJFZzKRdvppsu2h9vZHBBs4WACqd19NYc8 LlD+pwext9IcjgRXyOGz7I4AhE4bUHJ7fki8eBw5WlSce7SVmeSPA3ygZo85Gp/O/S LQG4U8z976nTNdv5coZN/Mj7NqBrNE/Me7qg7NcA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tomi Valkeinen , Jann Horn , security@kernel.org, Will Deacon , Tony Lindgren , Bartlomiej Zolnierkiewicz Subject: [PATCH 4.4 02/27] fbdev/omapfb: fix omapfb_memory_read infoleak Date: Thu, 11 Oct 2018 17:34:49 +0200 Message-Id: <20181011152534.130039788@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181011152534.014964888@linuxfoundation.org> References: <20181011152534.014964888@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tomi Valkeinen commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream. OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies them to a userspace buffer. The code has two issues: - The user provided width and height could be large enough to overflow the calculations - The copy_to_user() can copy uninitialized memory to the userspace, which might contain sensitive kernel information. Fix these by limiting the width & height parameters, and only copying the amount of data that we actually received from the LCD. Signed-off-by: Tomi Valkeinen Reported-by: Jann Horn Cc: stable@vger.kernel.org Cc: security@kernel.org Cc: Will Deacon Cc: Jann Horn Cc: Tony Lindgren Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_ if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size)) return -EFAULT; + if (mr->w > 4096 || mr->h > 4096) + return -EINVAL; + if (mr->w * mr->h * 3 > mr->buffer_size) return -EINVAL; @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_ mr->x, mr->y, mr->w, mr->h); if (r > 0) { - if (copy_to_user(mr->buffer, buf, mr->buffer_size)) + if (copy_to_user(mr->buffer, buf, r)) r = -EFAULT; }