From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Gwendal Grignou <gwendal@chromium.org>,
Olof Johansson <olof@lixom.net>
Subject: [PATCH 4.4 04/14] platform/chrome: cros_ec_dev - Fix security issue
Date: Mon, 22 Mar 2021 13:28:58 +0100 [thread overview]
Message-ID: <20210322121919.341638975@linuxfoundation.org> (raw)
In-Reply-To: <20210322121919.202392464@linuxfoundation.org>
From: Gwendal Grignou <gwendal@chromium.org>
commit 5d749d0bbe811c10d9048cde6dfebc761713abfd upstream.
Prevent memory scribble by checking that ioctl buffer size parameters
are sane.
Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
.outsize the amount to scribble, we would overflow, allocate a small
amounts and be able to write outside of the malloc'ed area.
Adding a hard limit allows argument checking of the ioctl. With the
current EC, it is expected .insize and .outsize to be at around 512 bytes
or less.
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec_dev.c | 4 ++++
drivers/platform/chrome/cros_ec_proto.c | 4 ++--
include/linux/mfd/cros_ec.h | 6 ++++--
3 files changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/platform/chrome/cros_ec_dev.c
+++ b/drivers/platform/chrome/cros_ec_dev.c
@@ -137,6 +137,10 @@ static long ec_device_ioctl_xcmd(struct
if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
return -EFAULT;
+ if ((u_cmd.outsize > EC_MAX_MSG_BYTES) ||
+ (u_cmd.insize > EC_MAX_MSG_BYTES))
+ return -EINVAL;
+
s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
GFP_KERNEL);
if (!s_cmd)
--- a/drivers/platform/chrome/cros_ec_proto.c
+++ b/drivers/platform/chrome/cros_ec_proto.c
@@ -311,8 +311,8 @@ int cros_ec_query_all(struct cros_ec_dev
ec_dev->max_response = EC_PROTO2_MAX_PARAM_SIZE;
ec_dev->max_passthru = 0;
ec_dev->pkt_xfer = NULL;
- ec_dev->din_size = EC_MSG_BYTES;
- ec_dev->dout_size = EC_MSG_BYTES;
+ ec_dev->din_size = EC_PROTO2_MSG_BYTES;
+ ec_dev->dout_size = EC_PROTO2_MSG_BYTES;
} else {
/*
* It's possible for a test to occur too early when
--- a/include/linux/mfd/cros_ec.h
+++ b/include/linux/mfd/cros_ec.h
@@ -50,9 +50,11 @@ enum {
EC_MSG_TX_TRAILER_BYTES,
EC_MSG_RX_PROTO_BYTES = 3,
- /* Max length of messages */
- EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
+ /* Max length of messages for proto 2*/
+ EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
EC_MSG_TX_PROTO_BYTES,
+
+ EC_MAX_MSG_BYTES = 64 * 1024,
};
/*
next prev parent reply other threads:[~2021-03-22 12:54 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-22 12:28 [PATCH 4.4 00/14] 4.4.263-rc1 review Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.4 01/14] ext4: handle error of ext4_setup_system_zone() on remount Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.4 02/14] ext4: dont allow overlapping system zones Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.4 03/14] ext4: check journal inode extents more carefully Greg Kroah-Hartman
2021-03-22 12:28 ` Greg Kroah-Hartman [this message]
2021-03-22 12:28 ` [PATCH 4.4 05/14] btrfs: fix race when cloning extent buffer during rewind of an old root Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 06/14] NFSD: Repair misuse of sv_lock in 5.10.16-rt30 Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 07/14] scsi: lpfc: Fix some error codes in debugfs Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 08/14] USB: replace hardcode maximum usb string length by definition Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 09/14] usb: gadget: configfs: Fix KASAN use-after-free Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 10/14] PCI: rpadlpar: Fix potential drc_name corruption in store functions Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 11/14] x86/ioapic: Ignore IRQ2 again Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 12/14] ext4: find old entry again if failed to rename whiteout Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 13/14] ext4: fix potential error in ext4_do_update_inode Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.4 14/14] genirq: Disable interrupts for force threaded handlers Greg Kroah-Hartman
2021-03-22 14:35 ` [PATCH 4.4 00/14] 4.4.263-rc1 review Jon Hunter
2021-03-22 20:14 ` Pavel Machek
2021-03-22 21:55 ` Guenter Roeck
2021-03-23 13:30 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210322121919.341638975@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gwendal@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olof@lixom.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).