From: Andrew Morton <akpm@linux-foundation.org>
To: Dan Carpenter <error27@gmail.com>
Cc: linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [RFC] [patch] fbcmap: integer overflow bug
Date: Fri, 05 Nov 2010 20:40:18 +0000 [thread overview]
Message-ID: <20101105134018.2c11f283.akpm@linux-foundation.org> (raw)
In-Reply-To: <20101027093716.GD6062@bicker>
On Wed, 27 Oct 2010 11:37:16 +0200
Dan Carpenter <error27@gmail.com> wrote:
> There is an integer overflow bug in the FBIOPUTCMAP ioctl if
> cmap->len * 2 overflows.
>
> It's harmless, except that it messes up the cmap until someone types
> `reset`. It could have been caught by checking the return from
> fb_copy_cmap().
>
> Or it could have been caught by limiting the size of the cmaps to one
> page. The cmaps are allocated with GFP_ATOMIC and it makes sense to
> limit them.
>
> Different drivers use different sizes of cmaps. There are about 150
> drivers. I've checked a bunch (50) of them and the larges cmap.len I've
> found is gxt4500 which maxes out at 1024 so PAGE_SIZE is about twice that
> length. For some of the 50 I wasn't sure on the limit.
>
> Is PAGE_SIZE a reasonable limit? Does anyone know or do I have to audit
> all 150 drivers?
No signed-off-by:.
> diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
> index f53b9f1..6dc5817 100644
> --- a/drivers/video/fbcmap.c
> +++ b/drivers/video/fbcmap.c
> @@ -110,7 +110,9 @@ int fb_alloc_cmap(struct fb_cmap *cmap, int len, int transp)
> }
> cmap->start = 0;
> cmap->len = len;
> - fb_copy_cmap(fb_default_cmap(len), cmap);
> + if (fb_copy_cmap(fb_default_cmap(len), cmap))
> + goto fail;
> +
> return 0;
>
> fail:
> @@ -250,6 +252,9 @@ int fb_set_user_cmap(struct fb_cmap_user *cmap, struct fb_info *info)
> int rc, size = cmap->len * sizeof(u16);
> struct fb_cmap umap;
>
> + if (cmap->len > PAGE_SIZE || cmap->len * sizeof(u16) > PAGE_SIZE)
> + return -EINVAL;
> +
> memset(&umap, 0, sizeof(struct fb_cmap));
> rc = fb_alloc_cmap(&umap, cmap->len, cmap->transp != NULL);
> if (rc)
A suitable way to fix this would be to detect the overflow only, and
then just throw the passed-in length at kmalloc(), and let kmalloc()
decide whether it is sane or not.
To do that, one would need to implement a new
fb_alloc_cmap_not_stupid() which takes a gfp_t, and pass in GFP_KERNEL.
Feel free to sanitise the fb_alloc_cmap() indenting in [patch 1/2] as well ;)
next prev parent reply other threads:[~2010-11-05 20:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-27 9:37 [RFC] [patch] fbcmap: integer overflow bug Dan Carpenter
2010-11-05 20:40 ` Andrew Morton [this message]
2010-11-13 10:06 ` [patch 1/2] fbcmap: cleanup white space in fb_alloc_cmap() Dan Carpenter
2010-11-18 6:00 ` Paul Mundt
2010-11-13 10:07 ` [patch 2/2] fbcmap: integer overflow bug Dan Carpenter
2010-11-15 4:48 ` Paul Mundt
2010-11-15 6:56 ` Geert Uytterhoeven
2010-11-15 7:20 ` Dan Carpenter
2010-11-15 8:01 ` walter harms
2010-11-15 8:14 ` Dan Carpenter
2010-11-16 9:11 ` [patch 2/2 v2] " Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101105134018.2c11f283.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=error27@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).