Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2452798ybi; Sun, 9 Jun 2019 12:09:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQK+kJhrOO4xyDhnGNWiiSYE7ief4eLcgIo0QrVvvfZ0Vtcz6cewHheHDp5kFrZenElmEE X-Received: by 2002:a62:4e0c:: with SMTP id c12mr69080772pfb.17.1560107374710; Sun, 09 Jun 2019 12:09:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560107374; cv=none; d=google.com; s=arc-20160816; b=pQhFABnoM2L36J99XSLkOd4vzu12fehc9I+uyYA1L0c/GKOMJuz9SNdwGT7mcs3FHM q+gIDrVOdGxJvcYUqzj6dcBSg1w6xwPl6uf+0a5eo17jRwBt0zHl0BH8VetLGej8FL6+ NB+yimXsrK6uyjs+sBTAzVaqbG5Q3QZscBCJ9Qcr8ePs3BvyQlWrUKS/x9IU00uNObRm 94JCKjHciqgcV2aEqOXSi8FPyZh156Ik/srRgbGYiQuE2mYbg13btZw3Vwh/xuSmm3cP mihpcXPDwpddK2l2mRzwW8Y5qfXpxroRb3uMc+a5zPN3mUrkR51JJLngPLLfRt32kPX3 CVpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jyjcMgnm0Xk72zvBc7ivKD2fwpWxM4FiVEnca/7S2OI=; b=IcHxJO6lTnaw9i4arHprz3axnUz/Ro+OG8XzjD6FDM0bVPejPIue2U8fwuNrbxLdAD wFeFg1xoJYbmktI1SkBnJlAo7dwAUL6R1XVOHkFFOyDUAuN1QrJbe2ly6Hb0I8SyhSyw YLppJd1XuJiQ8AVS+3LoPLlnRidLkyWl7mY7WdTGlbvvpHp/z+OwfP6X4RZQMOOxHd3y xhifxcrx7597y3lIlLjELSypplwuzz9656TsNY2xMnSXAnGjqaN/yne22d/b2chY97BN Z3/Geiu3pWBpJ1hPbb4g4tTcxed062hkx8V28UZ3t2fy586viPlNPCrJQGYt3m2+j7IN rFHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A5xS3yOO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d7si2491396pgq.211.2019.06.09.12.09.19; Sun, 09 Jun 2019 12:09:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A5xS3yOO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732394AbfFIQx0 (ORCPT + 99 others); Sun, 9 Jun 2019 12:53:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:54546 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731713AbfFIQxU (ORCPT ); Sun, 9 Jun 2019 12:53:20 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 398612081C; Sun, 9 Jun 2019 16:53:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560099199; bh=9c6gTPPLhc//uMtT9TCigZWOvEZ7xOphkK8zOKNZCGQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A5xS3yOOBzbaiLWiBX4i2bIJVGKw39gktNbKncMw7JGOjCP0CDHN5+SytLlRsoKRH 5GBqDsQfLmw8bPMUNu/lLFMzqxHfOf5PjPkv5jA9VRO7GLUBtC4ghfkymR1BWfuxSx uNzRxLHtzBEwts/EmbGmxySWcYj7LHeW34ZvE+9s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter Subject: [PATCH 4.9 45/83] staging: vc04_services: prevent integer overflow in create_pagelist() Date: Sun, 9 Jun 2019 18:42:15 +0200 Message-Id: <20190609164131.760341489@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190609164127.843327870@linuxfoundation.org> References: <20190609164127.843327870@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit ca641bae6da977d638458e78cd1487b6160a2718 upstream. The create_pagelist() "count" parameter comes from the user in vchiq_ioctl() and it could overflow. If you look at how create_page() is called in vchiq_prepare_bulk_data(), then the "size" variable is an int so it doesn't make sense to allow negatives or larger than INT_MAX. I don't know this code terribly well, but I believe that typical values of "count" are typically quite low and I don't think this check will affect normal valid uses at all. The "pagelist_size" calculation can also overflow on 32 bit systems, but not on 64 bit systems. I have added an integer overflow check for that as well. The Raspberry PI doesn't offer the same level of memory protection that x86 does so these sorts of bugs are probably not super critical to fix. Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") Signed-off-by: Dan Carpenter Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c @@ -381,9 +381,18 @@ create_pagelist(char __user *buf, size_t int run, addridx, actual_pages; unsigned long *need_release; + if (count >= INT_MAX - PAGE_SIZE) + return NULL; + offset = (unsigned int)buf & (PAGE_SIZE - 1); num_pages = (count + offset + PAGE_SIZE - 1) / PAGE_SIZE; + if (num_pages > (SIZE_MAX - sizeof(PAGELIST_T) - + sizeof(struct vchiq_pagelist_info)) / + (sizeof(u32) + sizeof(pages[0]) + + sizeof(struct scatterlist))) + return NULL; + *ppagelist = NULL; /* Allocate enough storage to hold the page pointers and the page