re: mfd: cros_ec: Use a zero-length array for command data

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: re: mfd: cros_ec: Use a zero-length array for command data
Date: Tue, 23 Jun 2015 13:41:04 +0000	[thread overview]
Message-ID: <20150623134104.GA10310@mwanda> (raw)

Hello Javier Martinez Canillas,

The patch a841178445bb: "mfd: cros_ec: Use a zero-length array for
command data" from Jun 9, 2015, has memory corruption issues.

drivers/platform/chrome/cros_ec_dev.c
   130  static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
   131  {
   132          long ret;
   133          struct cros_ec_command u_cmd;
   134          struct cros_ec_command *s_cmd;
   135
   136          if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
   137                  return -EFAULT;
   138
   139          s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This can integer overflow on 32 bit systems leading to a smaller s_cmd
than intended.

   140                          GFP_KERNEL);
   141          if (!s_cmd)
   142                  return -ENOMEM;
   143
   144          if (copy_from_user(s_cmd, arg, sizeof(*s_cmd) + u_cmd.outsize)) {
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Memory corruption.

   145                  ret = -EFAULT;
   146                  goto exit;
   147          }
   148

regards,
dan carpenter

                 reply	other threads:[~2015-06-23 13:41 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150623134104.GA10310@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=kernel-janitors@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.