From patchwork Wed Sep 12 07:30:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomi Valkeinen X-Patchwork-Id: 146510 Delivered-To: patch@linaro.org Received: by 2002:a2e:1648:0:0:0:0:0 with SMTP id 8-v6csp4499107ljw; Wed, 12 Sep 2018 00:31:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbNbmtlCDWTqE57kCDEadsOYZmtC/g3caupek4LQSyVVGFkrhVkXOlixuFyuwSstn3MfW84 X-Received: by 2002:a63:6243:: with SMTP id w64-v6mr645895pgb.145.1536737497622; Wed, 12 Sep 2018 00:31:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536737497; cv=none; d=google.com; s=arc-20160816; b=wvleZJd3vgARS4H+sjEvJZPg0eHePUg8TwVlTuzkwy0UUf8UNVfF3qt+i2fPeazhkh 10wpnKowdiPEQfB+m+TqGFGZUW+CplOXsmXQZdTr0ZQAAX9aF39/7YKSRBm9NWhBTtkI cAbCPKUFpzul0FHYh2bl/MfaJusmhBH28whRA82U1mA2rR9hQ9WKoKZqgrWAYj8Mreo1 ysaLvB/N0DIU39pQ/dfSL4eJbXr7elPk4pzA64KGh5MUjkGWqrL8tAUWssPaiCY8i74h d4gdEyDX606omQt1Rx25CP55N0hNKTChksKyVrtH+OcZL8eQvAki5Crr1qA+pq2LIfjx v9vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=qFFpVKSQduLmOatanslEMa2RD5I9o1dIcv1+FyewjNk=; b=LIBgWDEqBRR5NAul6p7UMenwuutIYDcseCsw8BJXFoV5wgTdInIdPb8dbowYSIaqsI uCGY1AntOi477X2HUZ/uiC6hYm/3GTBlL5/71alJ0D8nuA2z3nwpDxBfA+efQirGJrsE jZBHGICc6hYPtXUC8j07dq8kA+HTKpqhjao5v5ek8L0eGffkJJo3IlXXyPxRnoiLE1mI J+MIduuaTxAiheX7NDdr9Mw1h/go+LZ30ChQ47EBwCenP+QEDFrbmvbS/h223Si0cKSN yUiVt36v4NiMWQHREAeRzwiFLqXxbd2SeEHrc4OXo8/Cv4NQx/BNUtTJod459ANa3hD5 bhqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=B0V6bOgY; spf=pass (google.com: best guess record for domain of linux-fbdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-fbdev-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d36-v6si221092pla.446.2018.09.12.00.31.37; Wed, 12 Sep 2018 00:31:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-fbdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=B0V6bOgY; spf=pass (google.com: best guess record for domain of linux-fbdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-fbdev-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726555AbeILMeu (ORCPT + 1 other); Wed, 12 Sep 2018 08:34:50 -0400 Received: from lelv0142.ext.ti.com ([198.47.23.249]:57608 "EHLO lelv0142.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726471AbeILMeu (ORCPT ); Wed, 12 Sep 2018 08:34:50 -0400 Received: from dflxv15.itg.ti.com ([128.247.5.124]) by lelv0142.ext.ti.com (8.15.2/8.15.2) with ESMTP id w8C7VKhT116153; Wed, 12 Sep 2018 02:31:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1536737480; bh=qFFpVKSQduLmOatanslEMa2RD5I9o1dIcv1+FyewjNk=; h=From:To:CC:Subject:Date; b=B0V6bOgYkvjAbVU5J9PF5F5JCHKoWm6LJDYHGE0L6xNw1zB+Ek11Y0464oH6oMhxq uoy3lxKJ5q3fSAx9zD3HBLBOkXUcwSnjpYmb5uzhdwdzr8loUic7C0MNN3d7olU6u6 ZrQ+ZCyyxviaupR3D0Te4zZlgFFzkCd29ce2wdKk= Received: from DLEE106.ent.ti.com (dlee106.ent.ti.com [157.170.170.36]) by dflxv15.itg.ti.com (8.14.3/8.13.8) with ESMTP id w8C7VK35018029; Wed, 12 Sep 2018 02:31:20 -0500 Received: from DLEE102.ent.ti.com (157.170.170.32) by DLEE106.ent.ti.com (157.170.170.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 12 Sep 2018 02:31:18 -0500 Received: from dlep33.itg.ti.com (157.170.170.75) by DLEE102.ent.ti.com (157.170.170.32) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1466.3 via Frontend Transport; Wed, 12 Sep 2018 02:31:18 -0500 Received: from deskari.ti.com (ileax41-snat.itg.ti.com [10.172.224.153]) by dlep33.itg.ti.com (8.14.3/8.13.8) with ESMTP id w8C7VFpw018587; Wed, 12 Sep 2018 02:31:16 -0500 From: Tomi Valkeinen To: , Bartlomiej Zolnierkiewicz CC: Tomi Valkeinen , , , Will Deacon , Jann Horn , Tony Lindgren Subject: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak Date: Wed, 12 Sep 2018 10:30:46 +0300 Message-ID: <20180912073046.26475-1-tomi.valkeinen@ti.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies them to a userspace buffer. The code has two issues: - The user provided width and height could be large enough to overflow the calculations - The copy_to_user() can copy uninitialized memory to the userspace, which might contain sensitive kernel information. Fix these by limiting the width & height parameters, and only copying the amount of data that we actually received from the LCD. Signed-off-by: Tomi Valkeinen Reported-by: Jann Horn Cc: stable@vger.kernel.org Cc: security@kernel.org Cc: Will Deacon Cc: Jann Horn Cc: Tony Lindgren --- drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki. Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c index ef69273074ba..a3edb20ea4c3 100644 --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c @@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi, if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size)) return -EFAULT; + if (mr->w > 4096 || mr->h > 4096) + return -EINVAL; + if (mr->w * mr->h * 3 > mr->buffer_size) return -EINVAL; @@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi, mr->x, mr->y, mr->w, mr->h); if (r > 0) { - if (copy_to_user(mr->buffer, buf, mr->buffer_size)) + if (copy_to_user(mr->buffer, buf, r)) r = -EFAULT; }