Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f7ba24cc-1b0e-7ea8-fd2d-d062c817d55d@insomniasec.com>
Date: Sun, 22 Jan 2017 10:26:36 +1300
From: Murray McAllister <murray.mcallister@...omniasec.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Linux kernel: vc4: int overflow leading to heap-based
 buffer overflow

Hi,

This issue affects the VC4_SUBMIT_CL IOCTL in the VideoCore DRM driver,
so probably only affects devices like the Raspberry Pi.

Quoting from Eric Anholt's post:

""
We copy the unvalidated ioctl arguments from the user into kernel
temporary memory to run the validation from, to avoid a race where the
user updates the unvalidate contents in between validating them and
copying them into the validated BO.

However, in setting up the layout of the kernel side, we failed to
check one of the additions (the roundup() for shader_rec_offset)
against integer overflow, allowing a nearly MAX_UINT value of
bin_cl_size to cause us to under-allocate the temporary space that we
then copy_from_user into.
""

https://lkml.org/lkml/2017/1/17/761
https://lkml.org/lkml/2017/1/17/759 (discovered by Ingo Molnar)

I am not subscribed to the list so please mail me if you have any issues.

Chur

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.