Patch "staging: ncpfs: memory corruption in ncp_read_kernel()" has been added to the 4.14-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "staging: ncpfs: memory corruption in ncp_read_kernel()" has been added to the 4.14-stable tree
@ 2018-03-25 10:04 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2018-03-25 10:04 UTC (permalink / raw)
  To: dan.carpenter, gregkh, silvio.cesare, stable; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    staging: ncpfs: memory corruption in ncp_read_kernel()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-ncpfs-memory-corruption-in-ncp_read_kernel.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 4c41aa24baa4ed338241d05494f2c595c885af8f Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 19 Mar 2018 14:07:45 +0300
Subject: staging: ncpfs: memory corruption in ncp_read_kernel()

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4c41aa24baa4ed338241d05494f2c595c885af8f upstream.

If the server is malicious then *bytes_read could be larger than the
size of the "target" buffer.  It would lead to memory corruption when we
do the memcpy().

Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ncpfs/ncplib_kernel.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ncpfs/ncplib_kernel.c
+++ b/fs/ncpfs/ncplib_kernel.c
@@ -981,6 +981,10 @@ ncp_read_kernel(struct ncp_server *serve
 		goto out;
 	}
 	*bytes_read = ncp_reply_be16(server, 0);
+	if (*bytes_read > to_read) {
+		result = -EINVAL;
+		goto out;
+	}
 	source = ncp_reply_data(server, 2 + (offset & 1));
 
 	memcpy(target, source, *bytes_read);


Patches currently in stable-queue which might be from dan.carpenter@oracle.com are

queue-4.14/staging-ncpfs-memory-corruption-in-ncp_read_kernel.patch
queue-4.14/iio-adc-meson-saradc-unlock-on-error-in-meson_sar_adc_lock.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-03-25 10:05 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-25 10:04 Patch "staging: ncpfs: memory corruption in ncp_read_kernel()" has been added to the 4.14-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).