[linux] 05/07: fbdev: color map copying bounds checking (CVE-2016-8405)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Feb 21 21:40:58 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit e3a6861dee1c293b6a38323203a00c3c4f78b1f8
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Feb 21 20:27:10 2017 +0000

    fbdev: color map copying bounds checking (CVE-2016-8405)
---
 debian/changelog                                   |  1 +
 .../fbdev-color-map-copying-bounds-checking.patch  | 79 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 81 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0c796b3..9f22308 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux (3.2.84-2) UNRELEASED; urgency=high
   * perf: Fix perf_event_for_each() to use sibling
   * lockdep: Silence warning if CONFIG_LOCKDEP isn't set
   * perf: Fix event->ctx locking (CVE-2016-6786, CVE-2016-6787)
+  * fbdev: color map copying bounds checking (CVE-2016-8405)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 18 Feb 2017 18:26:58 +0100
 
diff --git a/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch
new file mode 100644
index 0000000..63b092a
--- /dev/null
+++ b/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch
@@ -0,0 +1,79 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 24 Jan 2017 15:18:24 -0800
+Subject: fbdev: color map copying bounds checking
+Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
+
+Copying color maps to userspace doesn't check the value of to->start,
+which will cause kernel heap buffer OOB read due to signedness wraps.
+
+CVE-2016-8405
+
+Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Peter Pi (@heisecode) of Trend Micro
+Cc: Min Chong <mchong at google.com>
+Cc: Dan Carpenter <dan.carpenter at oracle.com>
+Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2: adjust filename]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/video/fbcmap.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/drivers/video/fbcmap.c
++++ b/drivers/video/fbcmap.c
+@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cma
+ 
+ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
+ {
+-	int tooff = 0, fromoff = 0;
+-	int size;
++	unsigned int tooff = 0, fromoff = 0;
++	size_t size;
+ 
+ 	if (to->start > from->start)
+ 		fromoff = to->start - from->start;
+ 	else
+ 		tooff = from->start - to->start;
+-	size = to->len - tooff;
+-	if (size > (int) (from->len - fromoff))
+-		size = from->len - fromoff;
+-	if (size <= 0)
++	if (fromoff >= from->len || tooff >= to->len)
++		return -EINVAL;
++
++	size = min_t(size_t, to->len - tooff, from->len - fromoff);
++	if (size == 0)
+ 		return -EINVAL;
+ 	size *= sizeof(u16);
+ 
+@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *f
+ 
+ int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
+ {
+-	int tooff = 0, fromoff = 0;
+-	int size;
++	unsigned int tooff = 0, fromoff = 0;
++	size_t size;
+ 
+ 	if (to->start > from->start)
+ 		fromoff = to->start - from->start;
+ 	else
+ 		tooff = from->start - to->start;
+-	size = to->len - tooff;
+-	if (size > (int) (from->len - fromoff))
+-		size = from->len - fromoff;
+-	if (size <= 0)
++	if (fromoff >= from->len || tooff >= to->len)
++		return -EINVAL;
++
++	size = min_t(size_t, to->len - tooff, from->len - fromoff);
++	if (size == 0)
+ 		return -EINVAL;
+ 	size *= sizeof(u16);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index c507db7..e574fa0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1132,6 +1132,7 @@ bugfix/all/media-info-leak-in-__media_device_enum_links.patch
 bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch
 bugfix/all/lockdep-silence-warning-if-config_lockdep-isn-t-set.patch
 bugfix/all/perf-fix-event-ctx-locking.patch
+bugfix/all/fbdev-color-map-copying-bounds-checking.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list