From patchwork Wed Jun  7 05:15:32 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 772190
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3wjGwz3zmrz9sDb;
	Wed,  7 Jun 2017 15:16:03 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b="Qi6Oe/+z"; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1dITK4-0006eL-KD; Wed, 07 Jun 2017 05:16:00 +0000
Received: from mail-pg0-f51.google.com ([74.125.83.51])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1dITJp-0006aQ-F7
	for kernel-team@lists.ubuntu.com; Wed, 07 Jun 2017 05:15:45 +0000
Received: by mail-pg0-f51.google.com with SMTP id a70so1355439pge.3
	for <kernel-team@lists.ubuntu.com>;
	Tue, 06 Jun 2017 22:15:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=LSdkkKvBt6PZKnfbmysC4/SEzauBxGgE9cw1kEUrrDY=;
	b=Qi6Oe/+zALCTUO/bChS3PH9wefr8tVkzdrNmvaJmkEOtJ+G+HYrY5/idbWf6ojGv5G
	aX4rIEisP2O3PPsiZPkZdZt/WB/VvxpaZu2tse7OA9VsF3da/YNJ9H67+tUktEajPSOW
	OdRdcRYNjedlHtWGufeMQEaSpb8Qj/EoUwh7VIRQ1eLi9cINCNKOTj4xdfjuxX9xrbOK
	vnuknYy7YmCkAAvsvALi3NvrkLtKEBJR4DyCNKYUuqDZ0mn7EIIG2wyRPHXCgC/DnqXm
	1fT2+bO4/qUklhljd0IYxjgQRqOWijQqlgJRRXKYCi+SfNI61ek9ceQroO4jlDT4vp0E
	iYjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=LSdkkKvBt6PZKnfbmysC4/SEzauBxGgE9cw1kEUrrDY=;
	b=UkAjWNA4bQQOGDuDg6EAvA+k1eLbzj+rBx+WvMHIcxYlY01ZNIBw5rLlODEtjKlFHZ
	kD7g8fNTUxuze/OwgBwlwb06rCVjvRbeEg1u+3E+jLeKVUsMf6lBCvR3nlZOEPI4Fjpa
	zEyfAdhu4+l5FtaqJ5GFMWFmSqA/r6EBVxEAE7vW2SpYaO2lDfmOxXS5TPrHedONDnmP
	xO3OpodTHct8i66knYsUYHR9chTm5HX66dZdhfVx1MuDQnw4+Uynf7fnsfHqfiJMW157
	O4PpXkP2iSMsxaiuV6EvzYpdRrjE3dA3ar9gEpadxyz3mXWT50UTYsjft3QBnqbwIKcY
	fQdQ==
X-Gm-Message-State: AODbwcAyIHcqT/4dutx2PMf+JpfacYfhP9d4UajnARbud+dOF0nSjGzy
	/a8CFapZDcjKJqPv9Jw=
X-Received: by 10.99.104.136 with SMTP id d130mr6544803pgc.236.1496812543957;
	Tue, 06 Jun 2017 22:15:43 -0700 (PDT)
Received: from localhost.localdomain ([175.41.48.77])
	by smtp.gmail.com with ESMTPSA id
	b2sm939462pgc.16.2017.06.06.22.15.42
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 06 Jun 2017 22:15:43 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Zesty][CVE-2017-100363][PATCH] char: lp: fix possible integer
	overflow in lp_setup()
Date: Wed,  7 Jun 2017 13:15:32 +0800
Message-Id: <1496812532-26491-4-git-send-email-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1496812532-26491-1-git-send-email-po-hsu.lin@canonical.com>
References: <1496812532-26491-1-git-send-email-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Willy Tarreau <w@1wt.eu>

CVE-2017-1000363

The lp_setup() code doesn't apply any bounds checking when passing
"lp=none", and only in this case, resulting in an overflow of the
parport_nr[] array. All versions in Git history are affected.

Reported-By: Roee Hay <roee.hay@hcl.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3e21f4af170bebf47c187c1ff8bf155583c9f3b1)

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 drivers/char/lp.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/char/lp.c b/drivers/char/lp.c
index 5b67427..841fd59 100644
--- a/drivers/char/lp.c
+++ b/drivers/char/lp.c
@@ -859,7 +859,11 @@ static int __init lp_setup (char *str)
 	} else if (!strcmp(str, "auto")) {
 		parport_nr[0] = LP_PARPORT_AUTO;
 	} else if (!strcmp(str, "none")) {
-		parport_nr[parport_ptr++] = LP_PARPORT_NONE;
+		if (parport_ptr < LP_NO)
+			parport_nr[parport_ptr++] = LP_PARPORT_NONE;
+		else
+			printk(KERN_INFO "lp: too many ports, %s ignored.\n",
+			       str);
 	} else if (!strcmp(str, "reset")) {
 		reset = 1;
 	}