| Message ID | 20180423084535.27270-3-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [CVE-2018-8822,Trusty,SRU] staging: ncpfs: memory corruption in ncp_read_kernel() | expand |
On 23/04/18 09:45, Po-Hsu Lin wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2018-8822 > > If the server is malicious then *bytes_read could be larger than the > size of the "target" buffer. It would lead to memory corruption when we > do the memcpy(). > > Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (backported from commit 4c41aa24baa4ed338241d05494f2c595c885af8f) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > fs/ncpfs/ncplib_kernel.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/ncpfs/ncplib_kernel.c b/fs/ncpfs/ncplib_kernel.c > index 981a956..76c6a8e 100644 > --- a/fs/ncpfs/ncplib_kernel.c > +++ b/fs/ncpfs/ncplib_kernel.c > @@ -982,6 +982,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, > goto out; > } > *bytes_read = ncp_reply_be16(server, 0); > + if (*bytes_read > to_read) { > + result = -EINVAL; > + goto out; > + } > source = ncp_reply_data(server, 2 + (offset & 1)); > > memcpy(target, source, *bytes_read); > Looks good to me. Acked-by: Colin Ian King <colin.king@canonical.com>
On 23.04.2018 10:45, Po-Hsu Lin wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2018-8822 > > If the server is malicious then *bytes_read could be larger than the > size of the "target" buffer. It would lead to memory corruption when we > do the memcpy(). > > Reported-by: Dr Silvio Cesare of InfoSect <Silvio Cesare <silvio.cesare@gmail.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (backported from commit 4c41aa24baa4ed338241d05494f2c595c885af8f) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/ncpfs/ncplib_kernel.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/ncpfs/ncplib_kernel.c b/fs/ncpfs/ncplib_kernel.c > index 981a956..76c6a8e 100644 > --- a/fs/ncpfs/ncplib_kernel.c > +++ b/fs/ncpfs/ncplib_kernel.c > @@ -982,6 +982,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, > goto out; > } > *bytes_read = ncp_reply_be16(server, 0); > + if (*bytes_read > to_read) { > + result = -EINVAL; > + goto out; > + } > source = ncp_reply_data(server, 2 + (offset & 1)); > > memcpy(target, source, *bytes_read); >
diff --git a/fs/ncpfs/ncplib_kernel.c b/fs/ncpfs/ncplib_kernel.c index 981a956..76c6a8e 100644 --- a/fs/ncpfs/ncplib_kernel.c +++ b/fs/ncpfs/ncplib_kernel.c @@ -982,6 +982,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id, goto out; } *bytes_read = ncp_reply_be16(server, 0); + if (*bytes_read > to_read) { + result = -EINVAL; + goto out; + } source = ncp_reply_data(server, 2 + (offset & 1)); memcpy(target, source, *bytes_read);