Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2349573imm; Thu, 11 Oct 2018 08:55:25 -0700 (PDT) X-Google-Smtp-Source: ACcGV63gsYWdaYcj56lMBGsPh6XPNNQxgoFqWlWHlCKRwNYIsPmPyXBvFxKQ+C1k6j0mXS0KJVzZ X-Received: by 2002:a17:902:6a8b:: with SMTP id n11-v6mr2083025plk.16.1539273325242; Thu, 11 Oct 2018 08:55:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539273325; cv=none; d=google.com; s=arc-20160816; b=SFn4GiXcJwKfEG83xJtVZNBFf5OrbepSCoj8+er/ayqkxjlSziEYDmm8XtFGgDTn/G TPB7S/1dlZ/KrEK2ICXBhPPbBL61rOoB2aA0dSgFopUqgFodhVmsM4YGggfE1As/Umtk 19QdHnhXXX2MRtHqnamzYzfxXv1G0WIRJzWvR8Z8UCeU1rB4yiBx/73JiwlaLjpSVH34 LmCjCbk0GvAPJMmPsH/UGEuGG3QtemBXN+6TXf0b2XxDpV2QoAG0txjO9I5p/LH9vFBr S173s3gOZMHlFBb4Xt9K/l7VUp/SIgg2QzMrJG5ckfhO88QtUqaIACB7too6iRbIhR2u mzaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EZRxqgGLjL8oFFJmtNwXPGyPvI92hEbRJqU2Soh0/Ds=; b=wfy1EZNADYNNMAdTeIbK9PtgpCyJANMc/BnH+FeiHs3L4Gzv7KU+wIAxTlSpZ1Ccuh 45tTI3CI+80bcbTV17UVLS92ljkBYDcwDV/1hvYWCofHtSG5Q1qjwhOn4peNKrGGO7Lq FNcy4qXOZSwRQCfq0LTvEWdcXsSahFLVNUKLymkJWfC80zc6B1duAjeypJnocd6jLv6P /wxNBFAMY0Cx8i2OSXIPAlmrnJ2beqB1XyRFY0OstzO9uFRMQoTxrR76IFVh05Ekchp1 wZ/KdQ6Ecg0aWwSbq7qQ4Jnv7AAH0H0Mk4V+QEJqTKHP5AIgLctbwnvK0y20T5JJz6Oc OpmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="0YT/oegh"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a7-v6si24910506pga.322.2018.10.11.08.55.09; Thu, 11 Oct 2018 08:55:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="0YT/oegh"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731605AbeJKXOV (ORCPT + 99 others); Thu, 11 Oct 2018 19:14:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:47280 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731599AbeJKXOT (ORCPT ); Thu, 11 Oct 2018 19:14:19 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 20A2521476; Thu, 11 Oct 2018 15:46:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539272794; bh=VFMEFPn9HkI9xNgmURVvpsoemOWU5ZUPEOuPFwOWfa4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0YT/oeghXBmUYf8Q4aiw156Dl7i/UvKd8U7PbIgoUymuHJ6IcZ3QtvvkLJgL6pAOp qi8o2vKVjT/tcPExc09KCAssW3jx0H+EPT1T1vfJftWH3RM2pzChazx3ABcWfDJD5M En+AJFBKk+SV9SEJrF7YFd+6R3v8WBiA3q0UdRFg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tomi Valkeinen , Jann Horn , security@kernel.org, Will Deacon , Tony Lindgren , Bartlomiej Zolnierkiewicz Subject: [PATCH 4.14 08/45] fbdev/omapfb: fix omapfb_memory_read infoleak Date: Thu, 11 Oct 2018 17:39:35 +0200 Message-Id: <20181011152509.215560811@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181011152508.885515042@linuxfoundation.org> References: <20181011152508.885515042@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tomi Valkeinen commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream. OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies them to a userspace buffer. The code has two issues: - The user provided width and height could be large enough to overflow the calculations - The copy_to_user() can copy uninitialized memory to the userspace, which might contain sensitive kernel information. Fix these by limiting the width & height parameters, and only copying the amount of data that we actually received from the LCD. Signed-off-by: Tomi Valkeinen Reported-by: Jann Horn Cc: stable@vger.kernel.org Cc: security@kernel.org Cc: Will Deacon Cc: Jann Horn Cc: Tony Lindgren Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_ if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size)) return -EFAULT; + if (mr->w > 4096 || mr->h > 4096) + return -EINVAL; + if (mr->w * mr->h * 3 > mr->buffer_size) return -EINVAL; @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_ mr->x, mr->y, mr->w, mr->h); if (r > 0) { - if (copy_to_user(mr->buffer, buf, mr->buffer_size)) + if (copy_to_user(mr->buffer, buf, r)) r = -EFAULT; }