Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2972982imu; Sun, 9 Dec 2018 14:02:13 -0800 (PST) X-Google-Smtp-Source: AFSGD/WRuk/m530zOO/VsJ+ZaVt0fEiKlcY25mWq++4pbnNO4NSXcQclxqsH55r3ovPLe/Gj0IDS X-Received: by 2002:a63:1b1f:: with SMTP id b31mr8753256pgb.66.1544392933303; Sun, 09 Dec 2018 14:02:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544392933; cv=none; d=google.com; s=arc-20160816; b=q6CpscOFL35CRgSTchIlv6k9e12lD0uHYC4TKEnR5tf722Raoth+J5HUNmJ3RQSquh 4ciSXF9GM+tZ52CfiucLaCl3zUDtrrqVeDq9NiXU4PyCAK6SkIvug6BezcqwG2iW0fob 0scZ7TTS8RQboqnydXTy/PmH5rtXfZjzUAwnbskH1ep++KrZ+ZQhriq80Gq6VcHsMN1z UDkI1NZ+sXdJ/AVd3850DLTNlt6QUXJCkAsuJZDq698pgxXDJYIrJwAMF6fBGH8T7bNd wCA/86QRRRDfoVB7O+QhKB4QikzNTIL3yO09lKUE8OVQGmhp1yMu+n6HmgIL4BHSgj1J r9Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=sCq0YFdoH7aZFuQjPRGp5CBu9VWqEJTCBA6jPKSd/BE=; b=UX6nxEdsg31w95JzAPwWJDZ48jRNTL0MZ8mdbvOup13FLVvUBEVVNmrNF2MvQNuw0z SWfQr/qHWvyEoQIthBvONw61qnnC7O2s1hAW5gpwbUOfaWv3k4vi36+AJ9tDsg3bHCmq UCytJV42R1tq/isEG9LKR24KcXKkxCiyzhk9Oum+dldzshuYZGwSEVBQH18SPu8pdjxB KySBzhgjczgo81DR7N1RNOdaK6RRNKwEVGuDZyD6Qufs3qpOJeMAyV0GIClO9ESKd43o BED+V1fXOHxsjA2Y0+BXYHvWfXELIn7wpzx1ZGh4DIkpwlQJTC+8kqoycc/AXCi80R9g diAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z143si9470306pfc.97.2018.12.09.14.01.58; Sun, 09 Dec 2018 14:02:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727203AbeLIWA2 (ORCPT + 99 others); Sun, 9 Dec 2018 17:00:28 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36020 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbeLIVze (ORCPT ); Sun, 9 Dec 2018 16:55:34 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW72x-0002pp-JX; Sun, 09 Dec 2018 21:55:31 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72j-0003bX-74; Sun, 09 Dec 2018 21:55:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Jann Horn" , "Tony Lindgren" , security@kernel.org, "Will Deacon" , "Bartlomiej Zolnierkiewicz" , "Tomi Valkeinen" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 264/328] fbdev/omapfb: fix omapfb_memory_read infoleak In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Tomi Valkeinen commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream. OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies them to a userspace buffer. The code has two issues: - The user provided width and height could be large enough to overflow the calculations - The copy_to_user() can copy uninitialized memory to the userspace, which might contain sensitive kernel information. Fix these by limiting the width & height parameters, and only copying the amount of data that we actually received from the LCD. Signed-off-by: Tomi Valkeinen Reported-by: Jann Horn Cc: security@kernel.org Cc: Will Deacon Cc: Jann Horn Cc: Tony Lindgren Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Ben Hutchings --- drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c @@ -493,6 +493,9 @@ static int omapfb_memory_read(struct fb_ if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size)) return -EFAULT; + if (mr->w > 4096 || mr->h > 4096) + return -EINVAL; + if (mr->w * mr->h * 3 > mr->buffer_size) return -EINVAL; @@ -506,7 +509,7 @@ static int omapfb_memory_read(struct fb_ mr->x, mr->y, mr->w, mr->h); if (r > 0) { - if (copy_to_user(mr->buffer, buf, mr->buffer_size)) + if (copy_to_user(mr->buffer, buf, r)) r = -EFAULT; }