Re: [PATCH] staging: speakup: fix wraparound in uaccess length check

From: Greg Kroah-Hartman
Date: Sat Jul 07 2018 - 04:01:45 EST

Next message: Guo Ren: "Re: [PATCH V2 11/19] csky: Atomic operations"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] ibmasm: don't write out of bounds in read handler"
In reply to: Jann Horn: "[PATCH] staging: speakup: fix wraparound in uaccess length check"
Next in thread: Samuel Thibault: "Re: [PATCH] staging: speakup: fix wraparound in uaccess length check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jul 07, 2018 at 03:53:44AM +0200, Jann Horn wrote:
> If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing
> the loop to copy as much data as available to the provided buffer. If
> softsynthx_read() is invoked through sys_splice(), this causes an
> unbounded kernel write; but even when userspace just reads from it
> normally, a small size could cause userspace crashes.
>
> Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
> ---
>
> Reproducer (kernel overflows userspace stack, resulting in segfault):

Nice find, thanks for the patch!

greg k-h

Next message: Guo Ren: "Re: [PATCH V2 11/19] csky: Atomic operations"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] ibmasm: don't write out of bounds in read handler"
In reply to: Jann Horn: "[PATCH] staging: speakup: fix wraparound in uaccess length check"
Next in thread: Samuel Thibault: "Re: [PATCH] staging: speakup: fix wraparound in uaccess length check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]