[PATCH] video: arcfb: fix buffer overflow

linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] video: arcfb: fix buffer overflow
@ 2010-11-21 17:40 Vasiliy Kulikov
  2010-11-24  6:25 ` Paul Mundt
  0 siblings, 1 reply; 4+ messages in thread
From: Vasiliy Kulikov @ 2010-11-21 17:40 UTC (permalink / raw)
  To: kernel-janitors; +Cc: Jaya Kumar, linux-fbdev, linux-kernel

(count + p) is not checked for integer overflow.  If p < fbmemlength
and count = (size_t)(1 - p) (very big unsigned integer) then
count + p = 1 < fbmemlength and copy_to_user(base_addr+p, buf, count)
overflows base_addr.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
 Compile tested only.

 drivers/video/arcfb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/video/arcfb.c b/drivers/video/arcfb.c
index 3ec4923..67a4cd4 100644
--- a/drivers/video/arcfb.c
+++ b/drivers/video/arcfb.c
@@ -454,7 +454,7 @@ static ssize_t arcfb_write(struct fb_info *info, const char __user *buf,
 	xres = info->var.xres;
 	fbmemlength = (xres * info->var.yres)/8;
 
-	if (p > fbmemlength)
+	if (p > fbmemlength || (p + count < p))
 		return -ENOSPC;
 
 	err = 0;
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] video: arcfb: fix buffer overflow
  2010-11-21 17:40 [PATCH] video: arcfb: fix buffer overflow Vasiliy Kulikov
@ 2010-11-24  6:25 ` Paul Mundt
  2010-11-24  6:46   ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Mundt @ 2010-11-24  6:25 UTC (permalink / raw)
  To: Vasiliy Kulikov; +Cc: kernel-janitors, Jaya Kumar, linux-fbdev, linux-kernel

On Sun, Nov 21, 2010 at 08:40:01PM +0300, Vasiliy Kulikov wrote:
> (count + p) is not checked for integer overflow.  If p < fbmemlength
> and count = (size_t)(1 - p) (very big unsigned integer) then
> count + p = 1 < fbmemlength and copy_to_user(base_addr+p, buf, count)
> overflows base_addr.
> 
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] video: arcfb: fix buffer overflow
  2010-11-24  6:25 ` Paul Mundt
@ 2010-11-24  6:46   ` Dan Carpenter
  2010-11-24  6:59     ` Paul Mundt
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2010-11-24  6:46 UTC (permalink / raw)
  To: Paul Mundt
  Cc: Vasiliy Kulikov, kernel-janitors, Jaya Kumar, linux-fbdev,
	linux-kernel

On Wed, Nov 24, 2010 at 03:25:58PM +0900, Paul Mundt wrote:
> On Sun, Nov 21, 2010 at 08:40:01PM +0300, Vasiliy Kulikov wrote:
> > (count + p) is not checked for integer overflow.  If p < fbmemlength
> > and count = (size_t)(1 - p) (very big unsigned integer) then
> > count + p = 1 < fbmemlength and copy_to_user(base_addr+p, buf, count)
> > overflows base_addr.
> > 
> > Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> 
> Applied, thanks.

The patch is harmless, but the integer overflow would actually be caught
in rw_verify_area().

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] video: arcfb: fix buffer overflow
  2010-11-24  6:46   ` Dan Carpenter
@ 2010-11-24  6:59     ` Paul Mundt
  0 siblings, 0 replies; 4+ messages in thread
From: Paul Mundt @ 2010-11-24  6:59 UTC (permalink / raw)
  To: Dan Carpenter, Vasiliy Kulikov, kernel-janitors, Jaya Kumar,
	linux-fbdev, linux-kernel

On Wed, Nov 24, 2010 at 09:46:49AM +0300, Dan Carpenter wrote:
> On Wed, Nov 24, 2010 at 03:25:58PM +0900, Paul Mundt wrote:
> > On Sun, Nov 21, 2010 at 08:40:01PM +0300, Vasiliy Kulikov wrote:
> > > (count + p) is not checked for integer overflow.  If p < fbmemlength
> > > and count = (size_t)(1 - p) (very big unsigned integer) then
> > > count + p = 1 < fbmemlength and copy_to_user(base_addr+p, buf, count)
> > > overflows base_addr.
> > > 
> > > Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> > 
> > Applied, thanks.
> 
> The patch is harmless, but the integer overflow would actually be caught
> in rw_verify_area().
> 
Ah, so it is, I'll drop it then, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-11-24  6:59 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-21 17:40 [PATCH] video: arcfb: fix buffer overflow Vasiliy Kulikov
2010-11-24  6:25 ` Paul Mundt
2010-11-24  6:46   ` Dan Carpenter
2010-11-24  6:59     ` Paul Mundt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).