Date: Sun, 22 Jan 2017 10:26:36 +1300 From: Murray McAllister <murray.mcallister@...omniasec.com> To: oss-security@...ts.openwall.com Subject: CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow Hi, This issue affects the VC4_SUBMIT_CL IOCTL in the VideoCore DRM driver, so probably only affects devices like the Raspberry Pi. Quoting from Eric Anholt's post: "" We copy the unvalidated ioctl arguments from the user into kernel temporary memory to run the validation from, to avoid a race where the user updates the unvalidate contents in between validating them and copying them into the validated BO. However, in setting up the layout of the kernel side, we failed to check one of the additions (the roundup() for shader_rec_offset) against integer overflow, allowing a nearly MAX_UINT value of bin_cl_size to cause us to under-allocate the temporary space that we then copy_from_user into. "" https://lkml.org/lkml/2017/1/17/761 https://lkml.org/lkml/2017/1/17/759 (discovered by Ingo Molnar) I am not subscribed to the list so please mail me if you have any issues. Chur
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ