Message ID | 1458282993-6371-1-git-send-email-andrew.donnellan@au1.ibm.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
On Fri, 2016-18-03 at 06:36:33 UTC, Andrew Donnellan wrote: > If ppc_rtas() is called with args.nargs == 16 and args.nret == 0, args.rets > is set to point to &args.args[16], which is beyond the end of the args.args > array. This results in a minor read overrun of the array when we check the > first return code (which, per PAPR, is a required output of all RTAS calls) > to see if there's been a hardware error. > > Change the nargs/nret check to ensure nargs is <= 15, allowing room for the > status code. Users shouldn't be calling with nret == 0, but there's no real > harm if they do, so we don't stop them. > > Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/a9862c7440f191439a51f77233 cheers
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 28736ff..8da209f 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -1070,7 +1070,7 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs) nret = be32_to_cpu(args.nret); token = be32_to_cpu(args.token); - if (nargs > ARRAY_SIZE(args.args) + if (nargs >= ARRAY_SIZE(args.args) || nret > ARRAY_SIZE(args.args) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL;
If ppc_rtas() is called with args.nargs == 16 and args.nret == 0, args.rets is set to point to &args.args[16], which is beyond the end of the args.args array. This results in a minor read overrun of the array when we check the first return code (which, per PAPR, is a required output of all RTAS calls) to see if there's been a hardware error. Change the nargs/nret check to ensure nargs is <= 15, allowing room for the status code. Users shouldn't be calling with nret == 0, but there's no real harm if they do, so we don't stop them. Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> --- Found with the assistance of Coverity Scan. The dodgy read doesn't currently leak anything at all to userspace, as args.rets isn't copied back to userspace. --- arch/powerpc/kernel/rtas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)