Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp330927ybi; Fri, 7 Jun 2019 08:45:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzTNuyOM6+kNtQwAaJZ7wTmHGFqOsnbf+s17ChV0cbpE1qzLkqv2VjStv4CDLdFzkSHhaa4 X-Received: by 2002:a63:d615:: with SMTP id q21mr3141579pgg.401.1559922312490; Fri, 07 Jun 2019 08:45:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559922312; cv=none; d=google.com; s=arc-20160816; b=e/PDpe475dD+ObXoU04RP/2B6cKD2iSWRdtNZGA/dXmopH43RMVTIwN1+c1LNcuv2p QWxhcVLPsvnStRaqMx9foXLWoNxcBsTym85NzXoX7xaVUzAbIBEGV1oAdoSAo8cRIV7W qlyIi5zg6nUSxDqNl21U3QlSqgXLYv+bX9d1dyTaKbgLmsVtFb3LfXJ7GKkEeI8QRQUV a/5MmqKV3bV8qY/O3Qjb4CpPScR4UuqkB9CFUhAreNynZxEPvxQ1TeCTLGrF6CWmtb73 Gw7sTjQ7jEyk6KQi8ndUIr+ijbjP899f7A5cjsJx3nZxzwJ1YygxxFd3Zva0iZkUHw42 L3Qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aSGkdCzbK7pOeZkMZc/LO6Y7ScNY9PXbOtHWGUiLWWk=; b=z9OjDtVDkeMQSalADFyiyXaxbiLsVsWSAcaCBvfjXcGak4UBjeFRm1TIa4E6Lx2BnJ enDVolso0R58GyAxdPSAOed/ENnUAv5Uo4Ra/pmpHESWeBBJxK+cf8ZgqDkdXHernLIE TbyLe8ARVpibAzfSoPVEd3OeWqsuFAwTPwEYibqZfhfMe9zBN2VyFyTQbfPXTl/iZP5T pJLcDgxRr1Tc0Fy1s4HRyPxkMFAlXOs/L1evgs0++K/YSvDnl3k3JGqkt/RCEaSEV7Q6 42tUWXWN9Vn5zmHrImEs84PzYQrXUKH9/m08B7t3zTF7ddHOqgQNz2R2Jzp1q7Z9XM7D 0Hxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=J7zLNKDM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i12si2054470plt.287.2019.06.07.08.44.56; Fri, 07 Jun 2019 08:45:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=J7zLNKDM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730620AbfFGPmi (ORCPT + 99 others); Fri, 7 Jun 2019 11:42:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:53338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730619AbfFGPmg (ORCPT ); Fri, 7 Jun 2019 11:42:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 319AD214AF; Fri, 7 Jun 2019 15:42:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559922155; bh=E662ldMK7Ydl5bGRnKGbVKVQQ2qKZcP+E3MCPpJb2sY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J7zLNKDM5WryMNQAXQYBYA5xgHojrLDNNpUg8ye2fvtALNpkHI0O3vilcoPc67T/i R6QzN7pVBNhe5jJ35VRw8UlB+QwJ/71PDQ3y/j5ocEIQPyQXCKj1WgaE8MgD4lIbZD uEMoLBt+mXD1tu1ikyoJW/QIpbYHuNs0gz6i8Zss= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter Subject: [PATCH 4.14 57/69] staging: vc04_services: prevent integer overflow in create_pagelist() Date: Fri, 7 Jun 2019 17:39:38 +0200 Message-Id: <20190607153855.153931634@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190607153848.271562617@linuxfoundation.org> References: <20190607153848.271562617@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit ca641bae6da977d638458e78cd1487b6160a2718 upstream. The create_pagelist() "count" parameter comes from the user in vchiq_ioctl() and it could overflow. If you look at how create_page() is called in vchiq_prepare_bulk_data(), then the "size" variable is an int so it doesn't make sense to allow negatives or larger than INT_MAX. I don't know this code terribly well, but I believe that typical values of "count" are typically quite low and I don't think this check will affect normal valid uses at all. The "pagelist_size" calculation can also overflow on 32 bit systems, but not on 64 bit systems. I have added an integer overflow check for that as well. The Raspberry PI doesn't offer the same level of memory protection that x86 does so these sorts of bugs are probably not super critical to fix. Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") Signed-off-by: Dan Carpenter Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c @@ -405,9 +405,18 @@ create_pagelist(char __user *buf, size_t int dma_buffers; dma_addr_t dma_addr; + if (count >= INT_MAX - PAGE_SIZE) + return NULL; + offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1)); num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE); + if (num_pages > (SIZE_MAX - sizeof(PAGELIST_T) - + sizeof(struct vchiq_pagelist_info)) / + (sizeof(u32) + sizeof(pages[0]) + + sizeof(struct scatterlist))) + return NULL; + pagelist_size = sizeof(PAGELIST_T) + (num_pages * sizeof(u32)) + (num_pages * sizeof(pages[0]) +