From patchwork Wed Jun  7 09:05:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 772282
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3wjN1z32C5z9sNP;
	Wed,  7 Jun 2017 19:05:43 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b="YozfzkLq"; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1dIWuK-00027x-6h; Wed, 07 Jun 2017 09:05:40 +0000
Received: from mail-pf0-f170.google.com ([209.85.192.170])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1dIWuC-00026O-J6
	for kernel-team@lists.ubuntu.com; Wed, 07 Jun 2017 09:05:32 +0000
Received: by mail-pf0-f170.google.com with SMTP id 9so3491763pfj.1
	for <kernel-team@lists.ubuntu.com>;
	Wed, 07 Jun 2017 02:05:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=FC2CRmoK0o2CTYYcBdAo79TH0Pk8v4b/pUeoF0RQlbk=;
	b=YozfzkLqucrpWPqmtvNEWPBwsBQaH5kbNqJ0ozIaLexazKoIi4iYqnGsqFzB+yKlFZ
	pmelI/baC9hktcYTan0/B8MmndiKJ1cCOzyLYqOQ2KUKbYZT1qaQ0IkDZAWXfHdLexXL
	359jmQzbjSe8SMmTOpybbYwMmFVoMgaoaj/5KDC6gDk+nWzxTd0DGUjEWybyyCDFNT2l
	j2DRA282k6rhllimOudaYtuWPxy9hu3dBQRK37mmzBGRPQNOuxk6Fd9utCArizQdDiTe
	dU0EMJdBBpEYJ4QDcRabclnV9N4obJ1A21YZceMaJQgxc+iLW4w1VtAv6UDLIsAlJEwK
	5ImA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=FC2CRmoK0o2CTYYcBdAo79TH0Pk8v4b/pUeoF0RQlbk=;
	b=NV4FL9946C61oEwkbi92E/MY79A21RE1QAKzVhjRH4TwoatQ/Zxu9KaXeRvKDEkYuI
	zIVL4lDY34F3JdHBcf7kMjJs2kohsZmknl7oTH1BkNMuJYcMXGVUOFLgHK/fGFuvdY2r
	bHglmVPS1Gh7g+uzPWJRpETyGm4lg8y5fHxcP9LVPTFlzr4AcOpny9cyJdFN9w8Ci5mk
	Pz8Alp0zL/bAb6cUEFMdKspA+XXgzy2jqtwArRvkTQAiDQU+kYtWHupywJnF7wkTmoUG
	H9lTmhP2YMKNSbPFzDNLwu9P6p9o95QTj0rtR5XWt/YojCYjbmQzXI0d+tWvUi29lMgX
	1/+Q==
X-Gm-Message-State: AODbwcDoq+qxebnw1ZumouUqHKPI8PY+0rckMubg1s8EN/nc1Cp0VD1D
	N++dMObY5Qz0T1UyWSU=
X-Received: by 10.98.236.133 with SMTP id e5mr24922093pfm.190.1496826331086;
	Wed, 07 Jun 2017 02:05:31 -0700 (PDT)
Received: from localhost.localdomain ([175.41.48.77])
	by smtp.gmail.com with ESMTPSA id
	b72sm2777871pfj.36.2017.06.07.02.05.29
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 07 Jun 2017 02:05:30 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [CVE-2017-100363][PATCHv2 T/Y/Z] char: lp: fix possible integer
	overflow in lp_setup()
Date: Wed,  7 Jun 2017 17:05:21 +0800
Message-Id: <1496826321-29705-2-git-send-email-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1496826321-29705-1-git-send-email-po-hsu.lin@canonical.com>
References: <1496826321-29705-1-git-send-email-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Willy Tarreau <w@1wt.eu>

CVE-2017-100363

The lp_setup() code doesn't apply any bounds checking when passing
"lp=none", and only in this case, resulting in an overflow of the
parport_nr[] array. All versions in Git history are affected.

Reported-By: Roee Hay <roee.hay@hcl.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3e21f4af170bebf47c187c1ff8bf155583c9f3b1)

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/char/lp.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/char/lp.c b/drivers/char/lp.c
index 0913d79..6b61910 100644
--- a/drivers/char/lp.c
+++ b/drivers/char/lp.c
@@ -857,7 +857,11 @@ static int __init lp_setup (char *str)
 	} else if (!strcmp(str, "auto")) {
 		parport_nr[0] = LP_PARPORT_AUTO;
 	} else if (!strcmp(str, "none")) {
-		parport_nr[parport_ptr++] = LP_PARPORT_NONE;
+		if (parport_ptr < LP_NO)
+			parport_nr[parport_ptr++] = LP_PARPORT_NONE;
+		else
+			printk(KERN_INFO "lp: too many ports, %s ignored.\n",
+			       str);
 	} else if (!strcmp(str, "reset")) {
 		reset = 1;
 	}