Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp500888yba; Mon, 1 Apr 2019 10:33:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqx4iOwkF/hLtSVa2JhyDokYpKjRbnhDPtPOH5o9MKpHnTw6tM8B4sfz+Yc7QS+Eg4qRa7l8 X-Received: by 2002:a17:902:f01:: with SMTP id 1mr64630839ply.41.1554139998118; Mon, 01 Apr 2019 10:33:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554139998; cv=none; d=google.com; s=arc-20160816; b=exvW7pY1R2wBRh7Gb05aVgpFa4n/8IW7OnbW3hp460AeBEbj99RZmdA5w/JRaV1iWz b7MdecnZfWzLrEvYfRcZ7OP0xKLB/FFmVSXF42clsSGuE1bkL2kV/OlYlT87Ysp5BTTn 7Wrd1nxGuKxal3gfEoQz+hPLFY5wgD5ESVYWLYhdiX24ZU3riXLS78vvZKX92YSGLhly nimwD3Kg0gKAB9u864VYKMYhim66OkoB7VqrQWHOxxXSf/VOKlb3jQOGIClnJSvHqCsg la16TpG5pNuuZswyWfLKE9or4G8Y0iyz2NUATHPrPh2uTPI7tkrkynWoh7ufzV1FbY1Q sxYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6KqkMqC3+JDoxIErxqEhqlHtoi1dpfp1Rowmnz4nxEU=; b=HHQGU54B7feryNZdS73JBTEJaa5y+He3h34h4TqgDPgWWaxvRwH3tpmBMCBawgdLiz Py/wnrUDelmDGsAiQgsnParsge17xCgdtITD7TOucHuwDtHXOG300ueQ64byy75GNhY6 5Z3dmzqy7jPO/VSh0JsUpj3vwe/HPPTuRYRyanRJCTsiRwbordULgqEPWdzvndEyA5Xg YAsVepB3vJQ1JVf/GHHHJi30bmYY/9+sLtYh8rRF+eQfSlIrZ6YSmjd8x2h3G6cpNvzE OFvKEJ/2+pzjdvqFfJMgkwR2DNq2WO2shpzs2dRaRjV6PHATr9RKZzS7jeYUFq7OK8Y1 zFWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=O9KGO21F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p10si8988858plr.137.2019.04.01.10.33.02; Mon, 01 Apr 2019 10:33:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=O9KGO21F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387493AbfDARc1 (ORCPT + 99 others); Mon, 1 Apr 2019 13:32:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:40558 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733023AbfDARcZ (ORCPT ); Mon, 1 Apr 2019 13:32:25 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 62379208E4; Mon, 1 Apr 2019 17:32:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554139944; bh=F3Xj8NlU14If4J/gVtdyXOEOC2or/quENy8MAX1JN54=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O9KGO21FLdX/w0r5qzK1LQPYa/REAfdUmKUpTYDwd7612g6i0N0fvURuO7AF2L5C2 NJcAf8pRsos/SXTfDmD18u3NS68wqRTtynZveSy9VsnxMWmL9BtdXhNfe7la9OHMcH iL9uDAs20M8kFDruzF+fSwi/kb52h5RQN60qj0Pg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sasha Levin , Alexander Shishkin , Sasha Levin Subject: [PATCH 4.4 060/131] stm class: Prevent user-controllable allocations Date: Mon, 1 Apr 2019 19:02:10 +0200 Message-Id: <20190401170057.328475167@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190401170051.645954551@linuxfoundation.org> References: <20190401170051.645954551@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit f08b18266c7116e2ec6885dd53a928f580060a71 ] Currently, the character device write method allocates a temporary buffer for user's data, but the user's data size is not sanitized and can cause arbitrarily large allocations via kzalloc() or an integer overflow that will then result in overwriting kernel memory. This patch trims the input buffer size to avoid these issues. Reported-by: Sasha Levin Signed-off-by: Alexander Shishkin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/hwtracing/stm/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index f286de2e86af..e4fa583b57a6 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c @@ -410,6 +410,9 @@ static ssize_t stm_char_write(struct file *file, const char __user *buf, char *kbuf; int err; + if (count + 1 > PAGE_SIZE) + count = PAGE_SIZE - 1; + /* * if no m/c have been assigned to this writer up to this * point, use "default" policy entry -- 2.19.1