From patchwork Fri Feb 2 06:44:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 868519 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zXnXw3GzWz9sR8; Fri, 2 Feb 2018 17:45:04 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ehV5o-0006Vs-7d; Fri, 02 Feb 2018 06:45:00 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1ehV5m-0006Us-4G for kernel-team@lists.ubuntu.com; Fri, 02 Feb 2018 06:44:58 +0000 Received: from mail-pf0-f200.google.com ([209.85.192.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1ehV5l-0002Qr-Ot for kernel-team@lists.ubuntu.com; Fri, 02 Feb 2018 06:44:57 +0000 Received: by mail-pf0-f200.google.com with SMTP id u26so19677625pfi.3 for ; Thu, 01 Feb 2018 22:44:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=Lur7wOB/AUWflcrexfhxpCnbpmhabAl0Sy0ow65imb8=; b=T5yfcHT+ZeZ/0gu17zZiryUaJe9t5XaeFiGhIukPqSuxgt71oDZrBr/8KQyysCdlL2 kUFAleI59OixBwW0Yjc8g+hPai7AEUilSl5r7FCav3khYoZifeIHhLGbdRM8ZV8sh8QY 4R0s3tnhXixqnNUs4farfZwGyKQzfNCFVW/Ou1r2itFxK1EMhUdlLbNp4gwrKcdvCncC LElAY2syRPOD8NkfJrOJrkR76g06F9xzhAGYx6PAFHxvmwnDpnjYBV/7MBypnY3xJoZI WzcT8NC4CAoeH4Fcg0nwsUyPM4h1dA44pQ7ic5N0jWi7A+O6toVLNRCoTvSZwMld/5Vu USmg== X-Gm-Message-State: AKwxytfHlM5HQwt1bxCIbee2tTY93XR5iyExRwwXSvlHwmKcS2RRnFqQ IB7sgW4giWFCTuS+84P45PqKxVBpeFYm80oi6wumNRkeVbWt/B7A+p0qmEyFkOhGl8JI/r7GH5g yk1qlRNs9zlx2eqBhOYgm8+gCywF0SdAxOcXA/P4X X-Received: by 10.99.181.13 with SMTP id y13mr26292602pge.196.1517553896447; Thu, 01 Feb 2018 22:44:56 -0800 (PST) X-Google-Smtp-Source: AH8x225ToEu6pCb39njh3Fe9mcosmVrQE4bVgmqTxAsm5T5hXFxIGuBm9liHaKB2tkj5ci2svKixuQ== X-Received: by 10.99.181.13 with SMTP id y13mr26292598pge.196.1517553896295; Thu, 01 Feb 2018 22:44:56 -0800 (PST) Received: from Leggiero.taipei.internal ([175.41.48.77]) by smtp.gmail.com with ESMTPSA id x185sm1964196pfd.186.2018.02.01.22.44.55 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Feb 2018 22:44:55 -0800 (PST) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [CVE-2017-12762][Trusty][SRU][PATCH 1/1] isdn/i4l: fix buffer overflow Date: Fri, 2 Feb 2018 14:44:48 +0800 Message-Id: <20180202064448.31562-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180202064448.31562-1-po-hsu.lin@canonical.com> References: <20180202064448.31562-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Annie Cherkaev CVE-2017-12762 This fixes a potential buffer overflow in isdn_net.c caused by an unbounded strcpy. [ ISDN seems to be effectively unmaintained, and the I4L driver in particular is long deprecated, but in case somebody uses this.. - Linus ] Signed-off-by: Jiten Thakkar Signed-off-by: Annie Cherkaev Cc: Karsten Keil Cc: Kees Cook Cc: stable@kernel.org Signed-off-by: Linus Torvalds (cherry picked from commit 9f5af546e6acc30f075828cb58c7f09665033967) Signed-off-by: Po-Hsu Lin Acked-by: Colin Ian King Acked-by: Khalid Elmously --- drivers/isdn/i4l/isdn_common.c | 1 + drivers/isdn/i4l/isdn_net.c | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c index 9bb12ba..dc16b9c 100644 --- a/drivers/isdn/i4l/isdn_common.c +++ b/drivers/isdn/i4l/isdn_common.c @@ -1376,6 +1376,7 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg) if (arg) { if (copy_from_user(bname, argp, sizeof(bname) - 1)) return -EFAULT; + bname[sizeof(bname)-1] = 0; } else return -EINVAL; ret = mutex_lock_interruptible(&dev->mtx); diff --git a/drivers/isdn/i4l/isdn_net.c b/drivers/isdn/i4l/isdn_net.c index 8b98d53..ea51ae3 100644 --- a/drivers/isdn/i4l/isdn_net.c +++ b/drivers/isdn/i4l/isdn_net.c @@ -2643,10 +2643,9 @@ isdn_net_newslave(char *parm) char newname[10]; if (p) { - /* Slave-Name MUST not be empty */ - if (!strlen(p + 1)) + /* Slave-Name MUST not be empty or overflow 'newname' */ + if (strscpy(newname, p + 1, sizeof(newname)) <= 0) return NULL; - strcpy(newname, p + 1); *p = 0; /* Master must already exist */ if (!(n = isdn_net_findif(parm)))