oss-sec mailing list archives

CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow

From: Murray McAllister <murray.mcallister () insomniasec com>
Date: Sun, 22 Jan 2017 10:26:36 +1300

Hi,

This issue affects the VC4_SUBMIT_CL IOCTL in the VideoCore DRM driver,
so probably only affects devices like the Raspberry Pi.

Quoting from Eric Anholt's post:

""
We copy the unvalidated ioctl arguments from the user into kernel
temporary memory to run the validation from, to avoid a race where the
user updates the unvalidate contents in between validating them and
copying them into the validated BO.

However, in setting up the layout of the kernel side, we failed to
check one of the additions (the roundup() for shader_rec_offset)
against integer overflow, allowing a nearly MAX_UINT value of
bin_cl_size to cause us to under-allocate the temporary space that we
then copy_from_user into.
""

https://lkml.org/lkml/2017/1/17/761
https://lkml.org/lkml/2017/1/17/759 (discovered by Ingo Molnar)

I am not subscribed to the list so please mail me if you have any issues.

Chur

Current thread:

CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow Murray McAllister (Jan 21)
- Re: CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow cve-assign (Jan 24)