oss-sec mailing list archives
CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow
From: Murray McAllister <murray.mcallister () insomniasec com>
Date: Sun, 22 Jan 2017 10:26:36 +1300
Hi, This issue affects the VC4_SUBMIT_CL IOCTL in the VideoCore DRM driver, so probably only affects devices like the Raspberry Pi. Quoting from Eric Anholt's post: "" We copy the unvalidated ioctl arguments from the user into kernel temporary memory to run the validation from, to avoid a race where the user updates the unvalidate contents in between validating them and copying them into the validated BO. However, in setting up the layout of the kernel side, we failed to check one of the additions (the roundup() for shader_rec_offset) against integer overflow, allowing a nearly MAX_UINT value of bin_cl_size to cause us to under-allocate the temporary space that we then copy_from_user into. "" https://lkml.org/lkml/2017/1/17/761 https://lkml.org/lkml/2017/1/17/759 (discovered by Ingo Molnar) I am not subscribed to the list so please mail me if you have any issues. Chur
Current thread:
- CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow Murray McAllister (Jan 21)