qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

firewire: cdev: check write quadlet request length to avoid buffer overflow 

Check that the data length of a write quadlet request actually is large
enough for a quadlet.  Otherwise, fw_fill_request could access the four
bytes after the end of the outbound_transaction_event structure.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>

Modification of Clemens' change:  Consolidate the check into
init_request() which is used by the affected ioctl_send_request() and
ioctl_send_broadcast_request() and the unaffected
ioctl_send_stream_packet(), to save a few lines of code.

Note, since struct outbound_transaction_event *e is slab-allocated, such
an out-of-bounds access won't hit unallocated memory but may result in a
(virtually impossible to exploit) information disclosure.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
This commit is contained in:
Clemens Ladisch 2010-07-07 14:37:30 +02:00 committed by Stefan Richter
parent 250b2b6dd4
commit a8e93f3dcc
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/firewire/core-cdev.c
View File

@ -563,6 +563,10 @@ static int init_request(struct client *client,
(request->length > 4096 || request->length > 512 << speed)) (request->length > 4096 || request->length > 512 << speed))
return -EIO; return -EIO;
if (request->tcode == TCODE_WRITE_QUADLET_REQUEST &&
request->length < 4)
return -EINVAL;
e = kmalloc(sizeof(*e) + request->length, GFP_KERNEL); e = kmalloc(sizeof(*e) + request->length, GFP_KERNEL);
if (e == NULL) if (e == NULL)
return -ENOMEM; return -ENOMEM;