From: Randy Dunlap <rdunlap@infradead.org>
To: Gwendal Grignou <gwendal@chromium.org>,
olofj@chromium.org, alan@lxorguk.ukuu.org.uk,
javier.martinez@collabora.co.uk
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] platform/chrome: cros_ec_dev - Fix security issue
Date: Thu, 3 Mar 2016 10:35:35 -0800 [thread overview]
Message-ID: <56D883F7.6020002@infradead.org> (raw)
In-Reply-To: <1456984736-19811-1-git-send-email-gwendal@chromium.org>
On 03/02/16 21:58, Gwendal Grignou wrote:
> Add a check to prevent memory scribbe when sending an ioctl with .insize
scribble
> set so large that memory allocation argument overflows.
>
> Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
> ---
> drivers/platform/chrome/cros_ec_dev.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c
> index d45cd25..86d6373 100644
> --- a/drivers/platform/chrome/cros_ec_dev.c
> +++ b/drivers/platform/chrome/cros_ec_dev.c
> @@ -131,13 +131,23 @@ static ssize_t ec_device_read(struct file *filp, char __user *buffer,
> static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
> {
> long ret;
> + size_t data_size;
> struct cros_ec_command u_cmd;
> struct cros_ec_command *s_cmd;
>
> if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
> return -EFAULT;
>
> - s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
> + /*
> + * Prevent mallicious attack where .inside is so big that amount
malicious .insize
> + * kmalloc'ed rollover, allowing memcpy to write beyond the allocated
> + * space.
> + */
> + data_size = max(u_cmd.outsize, u_cmd.insize);
> + if (data_size + sizeof(*s_cmd) < data_size)
> + return -EINVAL;
> +
> + s_cmd = kmalloc(sizeof(*s_cmd) + data_size,
> GFP_KERNEL);
> if (!s_cmd)
> return -ENOMEM;
>
--
~Randy
next prev parent reply other threads:[~2016-03-03 18:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-01 20:33 Security hole in cros_ec_dev.c on 32bit chrome hosts Alan Cox
2016-03-03 5:58 ` [PATCH] platform/chrome: cros_ec_dev - Fix security issue Gwendal Grignou
2016-03-03 18:35 ` Randy Dunlap [this message]
2016-03-03 19:00 ` [PATCH v2] " Gwendal Grignou
2016-03-06 20:11 ` Olof Johansson
2016-03-08 17:02 ` Gwendal Grignou
2016-03-08 17:13 ` [PATCH v3] " Gwendal Grignou
2016-05-11 17:58 ` Olof Johansson
-- strict thread matches above, loose matches on Subject: below --
2021-03-17 23:55 [PATCH] " Gwendal Grignou
2021-03-18 5:51 ` Greg KH
2021-03-18 7:54 ` Lee Jones
2021-03-18 8:09 ` Greg KH
2021-03-18 8:20 ` Lee Jones
2021-03-18 18:08 ` Gwendal Grignou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56D883F7.6020002@infradead.org \
--to=rdunlap@infradead.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gwendal@chromium.org \
--cc=javier.martinez@collabora.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=olofj@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.