[ 39/48] spi: spidev: fix possible arithmetic overflow for multi-transfer message

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ian Abbott <abbotti@mev.co.uk>, Mark Brown <broonie@kernel.org>,
	Ben Hutchings <ben@decadent.org.uk>, Willy Tarreau <w@1wt.eu>
Subject: [ 39/48] spi: spidev: fix possible arithmetic overflow for multi-transfer message
Date: Fri, 15 May 2015 10:06:09 +0200	[thread overview]
Message-ID: <20150515080531.940427223@1wt.eu> (raw)
In-Reply-To: <9c2783dfae10ef2d1e9b08bcc1e562c5@local>

2.6.32-longterm review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 upstream.

`spidev_message()` sums the lengths of the individual SPI transfers to
determine the overall SPI message length.  It restricts the total
length, returning an error if too long, but it does not check for
arithmetic overflow.  For example, if the SPI message consisted of two
transfers and the first has a length of 10 and the second has a length
of (__u32)(-1), the total length would be seen as 9, even though the
second transfer is actually very long.  If the second transfer specifies
a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
overrun the spidev's pre-allocated tx buffer before it reaches an
invalid user memory address.  Fix it by checking that neither the total
nor the individual transfer lengths exceed the maximum allowed value.

Thanks to Dan Carpenter for reporting the potential integer overflow.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
[Ian Abbott: Note: original commit compares the lengths to INT_MAX
 instead of bufsiz due to changes in earlier commits.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit 7499401e4a0b01ee43cff768de4ca630dcd0bc64)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 drivers/spi/spidev.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index 5d23983..4dd8e2a 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -241,7 +241,10 @@ static int spidev_message(struct spidev_data *spidev,
 		k_tmp->len = u_tmp->len;

 		total += k_tmp->len;
-		if (total > bufsiz) {
+		/* Check total length of transfers.  Also check each
+		 * transfer length to avoid arithmetic overflow.
+		 */
+		if (total > bufsiz || k_tmp->len > bufsiz) {
 			status = -EMSGSIZE;
 			goto done;
 		}
-- 
1.7.12.2.21.g234cd45.dirty

next prev parent reply	other threads:[~2015-05-15  8:16 UTC|newest]

Thread overview: 61+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <9c2783dfae10ef2d1e9b08bcc1e562c5@local>
2015-05-15  8:05 ` [ 00/48] 2.6.32.66-longterm review Willy Tarreau
2015-05-15  8:05 ` [ 01/48] x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and sync_regs Willy Tarreau
2015-05-15  8:05 ` [ 02/48] x86/tls: Validate TLS entries to protect espfix Willy Tarreau
2015-05-15  8:05 ` [ 03/48] x86, tls, ldt: Stop checking lm in LDT_empty Willy Tarreau
2015-05-15  8:05 ` [ 04/48] x86, tls: Interpret an all-zero struct user_desc as "no segment" Willy Tarreau
2015-05-15  8:05 ` [ 05/48] x86_64, switch_to(): Load TLS descriptors before switching DS and ES Willy Tarreau
2015-05-15 12:32   ` Ben Hutchings
2015-05-15 13:38     ` Willy Tarreau
2015-05-15 14:25       ` Ben Hutchings
2015-05-15 14:31         ` Ben Hutchings
2015-05-15 14:37         ` Willy Tarreau
2015-05-15 15:53         ` Andi Kleen
2015-05-15 16:48           ` Willy Tarreau
2015-05-15 20:53           ` Ben Hutchings
2015-05-15 22:15             ` Andi Kleen
2015-05-15  8:05 ` [ 06/48] x86/tls: Disallow unusual TLS segments Willy Tarreau
2015-05-15  8:05 ` [ 07/48] x86/tls: Dont validate lm in set_thread_area() after all Willy Tarreau
2015-05-15  8:05 ` [ 08/48] x86, kvm: Clear paravirt_enabled on KVM guests for espfix32s benefit Willy Tarreau
2015-05-15  8:05 ` [ 09/48] x86_64, vdso: Fix the vdso address randomization algorithm Willy Tarreau
2015-05-15 21:02   ` Ben Hutchings
2015-05-15  8:05 ` [ 10/48] ASLR: fix stack randomization on 64-bit systems Willy Tarreau
2015-05-15  8:05 ` [ 11/48] x86, cpu, amd: Add workaround for family 16h, erratum 793 Willy Tarreau
2015-05-15  8:05 ` [ 12/48] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Willy Tarreau
2015-05-15  8:05 ` [ 13/48] x86: Conditionally update time when ack-ing pending irqs Willy Tarreau
2015-05-15  8:05 ` [ 14/48] serial: samsung: wait for transfer completion before clock disable Willy Tarreau
2015-05-15  8:05 ` [ 15/48] splice: Apply generic position and size checks to each write Willy Tarreau
2015-05-15  8:05 ` [ 16/48] netfilter: conntrack: disable generic tracking for known protocols Willy Tarreau
2015-05-15 21:05   ` Ben Hutchings
2015-05-15  8:05 ` [ 17/48] isofs: Fix infinite looping over CE entries Willy Tarreau
2015-05-15  8:05 ` [ 18/48] isofs: Fix unchecked printing of ER records Willy Tarreau
2015-05-15  8:05 ` [ 19/48] net: sctp: fix memory leak in auth key management Willy Tarreau
2015-05-15  8:05 ` [ 20/48] net: sctp: fix slab corruption from use after free on INIT collisions Willy Tarreau
2015-05-15  8:05 ` [ 21/48] IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic Willy Tarreau
2015-05-15  8:05 ` [ 22/48] net: llc: use correct size for sysctl timeout entries Willy Tarreau
2015-05-15  8:05 ` [ 23/48] net: rds: use correct size for max unacked packets and bytes Willy Tarreau
2015-05-15  8:05 ` [ 24/48] ipv6: Dont reduce hop limit for an interface Willy Tarreau
2015-05-15  8:05 ` [ 25/48] fs: take i_mutex during prepare_binprm for set[ug]id executables Willy Tarreau
2015-05-15  8:05 ` [ 26/48] net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland Willy Tarreau
2015-05-15 21:08   ` Ben Hutchings
2015-05-16  5:31     ` Willy Tarreau
2015-05-15  8:05 ` [ 27/48] ppp: deflate: never return len larger than output buffer Willy Tarreau
2015-05-15  8:05 ` [ 29/48] net: reject creation of netdev names with colons Willy Tarreau
2015-05-15  8:06 ` [ 30/48] ipv4: Dont use ufo handling on later transformed packets Willy Tarreau
2015-05-15  8:06 ` [ 31/48] udp: only allow UFO for packets from SOCK_DGRAM sockets Willy Tarreau
2015-05-15  8:06 ` [ 32/48] net: avoid to hang up on sending due to sysctl configuration overflow Willy Tarreau
2015-05-15  8:06 ` [ 33/48] net: sysctl_net_core: check SNDBUF and RCVBUF for min length Willy Tarreau
2015-05-15  8:06 ` [ 34/48] rds: avoid potential stack overflow Willy Tarreau
2015-05-15  8:06 ` [ 35/48] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() Willy Tarreau
2015-05-15  8:06 ` [ 36/48] tcp: make connect() mem charging friendly Willy Tarreau
2015-05-15  8:06 ` [ 37/48] ip_forward: Drop frames with attached skb->sk Willy Tarreau
2015-05-15  8:06 ` [ 38/48] tcp: avoid looping in tcp_send_fin() Willy Tarreau
2015-05-15  8:06 ` Willy Tarreau [this message]
2015-05-15  8:06 ` [ 40/48] IB/core: Avoid leakage from kernel to user space Willy Tarreau
2015-05-15  8:06 ` [ 41/48] ipvs: uninitialized data with IP_VS_IPV6 Willy Tarreau
2015-05-15  8:06 ` [ 42/48] ipv4: fix nexthop attlen check in fib_nh_match Willy Tarreau
2015-05-15  8:06 ` [ 43/48] pagemap: do not leak physical addresses to non-privileged userspace Willy Tarreau
2015-05-15  8:06 ` [ 44/48] lockd: Try to reconnect if statd has moved Willy Tarreau
2015-05-15  8:06 ` [ 45/48] scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND Willy Tarreau
2015-05-15  8:06 ` [ 46/48] posix-timers: Fix stack info leak in timer_create() Willy Tarreau
2015-05-15  8:06 ` [ 47/48] hfsplus: fix B-tree corruption after insertion at position 0 Willy Tarreau
2015-05-15  8:06 ` [ 48/48] sound/oss: fix deadlock in sequencer_ioctl(SNDCTL_SEQ_OUTOFBAND) Willy Tarreau

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5d23983 dfblob:4dd8e2a )
 OR (
bs:"[ 39/48] spi: spidev: fix possible arithmetic overflow for multi-transfer message" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150515080531.940427223@1wt.eu \
    --to=w@1wt.eu \
    --cc=abbotti@mev.co.uk \
    --cc=ben@decadent.org.uk \
    --cc=broonie@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox