[PATCH 4.4 45/68] platform/chrome: cros_ec_dev - double fetch bug in ioctl

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Pengfei Wang <wpengfeinudt@gmail.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Kees Cook <keescook@chromium.org>,
	Gwendal Grignou <gwendal@chromium.org>,
	Olof Johansson <olof@lixom.net>
Subject: [PATCH 4.4 45/68] platform/chrome: cros_ec_dev - double fetch bug in ioctl
Date: Mon,  8 Aug 2016 21:11:20 +0200	[thread overview]
Message-ID: <20160808180211.776041948@linuxfoundation.org> (raw)
In-Reply-To: <20160808180209.697765393@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 096cdc6f52225835ff503f987a0d68ef770bb78e upstream.

We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
that those values have not changed between the two copy_from_user()
calls.  Otherwise it could lead to a buffer overflow.

Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
We should use the new smaller value so we don't copy too much data to
the user.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/chrome/cros_ec_dev.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/platform/chrome/cros_ec_dev.c
+++ b/drivers/platform/chrome/cros_ec_dev.c
@@ -147,13 +147,19 @@ static long ec_device_ioctl_xcmd(struct
 		goto exit;
 	}
 
+	if (u_cmd.outsize != s_cmd->outsize ||
+	    u_cmd.insize != s_cmd->insize) {
+		ret = -EINVAL;
+		goto exit;
+	}
+
 	s_cmd->command += ec->cmd_offset;
 	ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd);
 	/* Only copy data to userland if data was received. */
 	if (ret < 0)
 		goto exit;
 
-	if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize))
+	if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize))
 		ret = -EFAULT;
 exit:
 	kfree(s_cmd);

next prev parent reply	other threads:[~2016-08-08 19:14 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20160808191310uscas1p28a09c69fbfd2c15b26ac1015e4a2d81c@uscas1p2.samsung.com>
2016-08-08 19:10 ` [PATCH 4.4 00/68] 4.4.17-stable review Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 02/68] x86/quirks: Apply nvidia_bugs quirk only on root bus Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 03/68] x86/quirks: Reintroduce scanning of secondary buses Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 05/68] dmaengine: at_xdmac: align descriptors on 64 bits Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 06/68] dmaengine: at_xdmac: fix residue corruption Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 07/68] dmaengine: at_xdmac: double FIFO flush needed to compute residue Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 08/68] mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 09/68] mm, compaction: abort free scanner if split fails Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 10/68] fs/nilfs2: fix potential underflow in call to crc32_le Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 11/68] mm, compaction: prevent VM_BUG_ON when terminating freeing scanner Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 12/68] mm, meminit: always return a valid node from early_pfn_to_nid Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 13/68] mm, meminit: ensure node is online before checking whether pages are uninitialised Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 14/68] vmlinux.lds: account for destructor sections Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 15/68] pps: do not crash when failed to register Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 16/68] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 17/68] arc: unwind: warn only once if DW2_UNWIND is disabled Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 18/68] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 19/68] xen/pciback: Fix conf_space read/write overlap check Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 20/68] xenbus: dont BUG() on user mode induced condition Greg Kroah-Hartman
2016-08-08 19:10   ` [PATCH 4.4 21/68] xenbus: dont bail early from xenbus_dev_request_and_reply() Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 25/68] Input: vmmouse - remove port reservation Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 26/68] Input: elantech - add more IC body types to the list Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 27/68] Input: xpad - fix oops when attaching an unknown Xbox One gamepad Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 28/68] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 29/68] Input: xpad - validate USB endpoint count during probe Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 31/68] pvclock: Add CPU barriers to get correct version value Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 32/68] pinctrl: single: Fix missing flush of posted write for a wakeirq Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 33/68] pinctrl: imx: Do not treat a PIN without MUX register as an error Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 34/68] cgroup: set css->id to -1 during init Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 35/68] power_supply: power_supply_read_temp only if use_cnt > 0 Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 36/68] locks: use file_inode() Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 37/68] Revert "ecryptfs: forbid opening files without mmap handler" Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 38/68] ecryptfs: dont allow mmap when the lower fs doesnt support it Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 39/68] ext4: verify extent header depth Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 40/68] 9p: use file_dentry() Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 41/68] namespace: update event counter when umounting a deleted dentry Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 42/68] spi: sunxi: fix transfer timeout Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 43/68] spi: sun4i: fix FIFO limit Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 44/68] clk: rockchip: initialize flags of clk_init_data in mmc-phase clock Greg Kroah-Hartman
2016-08-08 19:11   ` Greg Kroah-Hartman [this message]
2016-08-08 19:11   ` [PATCH 4.4 46/68] qeth: delete napi struct when removing a qeth device Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 47/68] block: fix use-after-free in sys_ioprio_get() Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 48/68] mmc: block: fix packed command header endianness Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 49/68] sched/fair: Fix effective_load() to consistently use smoothed load Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 50/68] ovl: handle ATTR_KILL* Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 51/68] perf/x86: fix PEBS issues on Intel Atom/Core2 Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 52/68] can: at91_can: RX queue could get stuck at high bus load Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 53/68] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 54/68] can: fix handling of unmodifiable configuration options fix Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 55/68] can: fix oops caused by wrong rtnl dellink usage Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 56/68] RDS: fix rds_tcp_init() error path Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 57/68] SCSI: fix new bug in scsi_dev_info_list string matching Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 58/68] ipr: Clear interrupt on croc/crocodile when running with LSI Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 59/68] media: fix airspy usb probe error path Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 60/68] posix_cpu_timer: Exit early when process has been reaped Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 61/68] i2c: qup: Fix wrong value of index variable Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 62/68] i2c: mux: reg: wrong condition checked for of_address_to_resource return value Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 63/68] libata: LITE-ON CX1-JB256-HP needs lower max_sectors Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 64/68] libceph: apply new_state before new_up_client on incrementals Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 65/68] net: mvneta: set real interrupt per packet for tx_done Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 66/68] intel_th: pci: Add Kaby Lake PCH-H support Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 67/68] intel_th: Fix a deadlock in modprobing Greg Kroah-Hartman
2016-08-08 19:11   ` [PATCH 4.4 68/68] vfs: fix deadlock in file_remove_privs() on overlayfs Greg Kroah-Hartman
2016-08-09  4:22   ` [PATCH 4.4 00/68] 4.4.17-stable review Guenter Roeck
2016-08-09  8:21     ` Greg Kroah-Hartman
2016-08-09 16:14       ` Guenter Roeck
2016-08-09 17:22         ` Greg Kroah-Hartman
2016-08-09 15:11   ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160808180211.776041948@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dan.carpenter@oracle.com \
    --cc=gwendal@chromium.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=olof@lixom.net \
    --cc=stable@vger.kernel.org \
    --cc=wpengfeinudt@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).