From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "H. Peter Anvin (Intel)" <hpa@zytor.com>,
"Cc: Johan Hovold" <johan@kernel.org>,
Jiri Slaby <jslaby@suse.com>, Al Viro <viro@zeniv.linux.org.uk>,
Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
Matt Turner <mattst88@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Kate Stewart <kstewart@linuxfoundation.org>,
Philippe Ombredanne <pombredanne@nexb.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: [PATCH 4.9 48/83] termios, tty/tty_baudrate.c: fix buffer overrun
Date: Mon, 19 Nov 2018 17:29:14 +0100 [thread overview]
Message-ID: <20181119162622.031401345@linuxfoundation.org> (raw)
In-Reply-To: <20181119162612.046511542@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: H. Peter Anvin <hpa@zytor.com>
commit 991a25194097006ec1e0d2e0814ff920e59e3465 upstream.
On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does
not do any limit checking on the tty_baudrate[] array, and in fact a
buffer overrun is possible on both architectures. Add a limit check to
prevent that situation.
This will be followed by a much bigger cleanup/simplification patch.
Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Requested-by: Cc: Johan Hovold <johan@kernel.org>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/tty_ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -325,7 +325,7 @@ speed_t tty_termios_baud_rate(struct kte
else
cbaud += 15;
}
- return baud_table[cbaud];
+ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
}
EXPORT_SYMBOL(tty_termios_baud_rate);
@@ -361,7 +361,7 @@ speed_t tty_termios_input_baud_rate(stru
else
cbaud += 15;
}
- return baud_table[cbaud];
+ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
#else
return tty_termios_baud_rate(termios);
#endif
next prev parent reply other threads:[~2018-11-20 3:18 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-19 16:28 [PATCH 4.9 00/83] 4.9.138-stable review Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 01/83] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 02/83] tty: check name length in tty_find_polling_driver() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 03/83] ARM: imx_v6_v7_defconfig: Select CONFIG_TMPFS_POSIX_ACL Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 04/83] powerpc/nohash: fix undefined behaviour when testing page size support Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 05/83] drm/omap: fix memory barrier bug in DMM driver Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 06/83] media: pci: cx23885: handle adding to list failure Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 07/83] MIPS: kexec: Mark CPU offline before disabling local IRQ Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 08/83] powerpc/boot: Ensure _zimage_start is a weak symbol Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 09/83] MIPS/PCI: Call pcie_bus_configure_settings() to set MPS/MRRS Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 10/83] sc16is7xx: Fix for multi-channel stall Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 11/83] media: tvp5150: fix width alignment during set_selection() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 12/83] powerpc/selftests: Wait all threads to join Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 13/83] 9p locks: fix glock.client_id leak in do_lock Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 14/83] 9p: clear dangling pointers in p9stat_free Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 15/83] cdrom: fix improper type cast, which can leat to information leak Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 16/83] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 17/83] scsi: qla2xxx: shutdown chip if reset fail Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 18/83] fuse: Fix use-after-free in fuse_dev_do_read() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 19/83] fuse: Fix use-after-free in fuse_dev_do_write() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 20/83] fuse: fix blocked_waitq wakeup Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 21/83] fuse: set FR_SENT while locked Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 22/83] mm: do not bug_on on incorrect length in __mm_populate() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 23/83] e1000: avoid null pointer dereference on invalid stat type Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 24/83] e1000: fix race condition between e1000_down() and e1000_watchdog Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 25/83] bna: ethtool: Avoid reading past end of buffer Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 26/83] parisc: Align os_hpmc_size on word boundary Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 27/83] parisc: Fix HPMC handler by increasing size to multiple of 16 bytes Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 28/83] parisc: Fix exported address of os_hpmc handler Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 29/83] MIPS: Loongson-3: Fix CPU UART irq delivery problem Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 30/83] MIPS: Loongson-3: Fix BRIDGE " Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 31/83] xtensa: add NOTES section to the linker script Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 32/83] xtensa: make sure bFLT stack is 16 byte aligned Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 4.9 33/83] xtensa: fix boot parameters address translation Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 34/83] clk: s2mps11: Fix matching when built as module and DT node contains compatible Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 35/83] clk: at91: Fix division by zero in PLL recalc_rate() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 36/83] clk: rockchip: Fix static checker warning in rockchip_ddrclk_get_parent call Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 37/83] libceph: bump CEPH_MSG_MAX_DATA_LEN Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 38/83] Revert "ceph: fix dentry leak in splice_dentry()" Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 39/83] mach64: fix display corruption on big endian machines Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 40/83] mach64: fix image corruption due to reading accelerator registers Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 41/83] reset: hisilicon: fix potential NULL pointer dereference Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 42/83] vhost/scsi: truncate T10 PI iov_iter to prot_bytes Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 43/83] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 44/83] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 45/83] netfilter: conntrack: fix calculation of next bucket number in early_drop Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 46/83] mtd: docg3: dont set conflicting BCH_CONST_PARAMS option Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 47/83] of, numa: Validate some distance map rules Greg Kroah-Hartman
2018-11-19 16:29 ` Greg Kroah-Hartman [this message]
2018-11-19 16:29 ` [PATCH 4.9 49/83] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 50/83] Btrfs: fix cur_offset in the error case for nocow Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 51/83] Btrfs: fix data corruption due to cloning of eof block Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 52/83] clockevents/drivers/i8253: Add support for PIT shutdown quirk Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 53/83] ext4: add missing brelse() update_backups()s error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 54/83] ext4: add missing brelse() in set_flexbg_block_bitmap()s " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 55/83] ext4: add missing brelse() add_new_gdb_meta_bg()s " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 56/83] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 57/83] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 58/83] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 59/83] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 60/83] ext4: avoid possible double brelse() in add_new_gdb() on error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 61/83] ext4: fix possible leak of sbi->s_group_desc_leak in " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 62/83] ext4: fix possible leak of s_journal_flag_rwsem " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 63/83] ext4: release bs.bh before re-using in ext4_xattr_block_find() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 64/83] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 65/83] ext4: fix buffer leak in __ext4_read_dirblock() " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 66/83] mount: Retest MNT_LOCKED in do_umount Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 67/83] mount: Dont allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 68/83] mount: Prevent MNT_DETACH from disconnecting locked mounts Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 69/83] sunrpc: correct the computation for page_ptr when truncating Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 70/83] nfsd: COPY and CLONE operations require the saved filehandle to be set Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 71/83] rtc: hctosys: Add missing range error reporting Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 72/83] fuse: fix use-after-free in fuse_direct_IO() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 73/83] fuse: fix leaked notify reply Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 74/83] configfs: replace strncpy with memcpy Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 75/83] lib/ubsan.c: dont mark __ubsan_handle_builtin_unreachable as noreturn Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 76/83] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 77/83] mm: migration: fix migration of huge PMD shared pages Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 78/83] drm/rockchip: Allow driver to be shutdown on reboot/kexec Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 79/83] drm/dp_mst: Check if primary mstb is null Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 80/83] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 81/83] drm/i915/execlists: Force write serialisation into context image vs execution Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 82/83] KVM: arm64: Fix caching of host MDCR_EL2 value Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 4.9 83/83] ovl: check whiteout in ovl_create_over_whiteout() Greg Kroah-Hartman
2018-11-19 23:31 ` [PATCH 4.9 00/83] 4.9.138-stable review kernelci.org bot
2018-11-20 0:16 ` shuah
2018-11-20 8:11 ` Naresh Kamboju
2018-11-20 10:54 ` Jon Hunter
2018-11-20 20:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181119162622.031401345@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=esyr@redhat.com \
--cc=hpa@zytor.com \
--cc=ink@jurassic.park.msu.ru \
--cc=johan@kernel.org \
--cc=jslaby@suse.com \
--cc=kstewart@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=pombredanne@nexb.com \
--cc=rth@twiddle.net \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).