| From f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 Mon Sep 17 00:00:00 2001 |
| From: Ian Abbott <abbotti@mev.co.uk> |
| Date: Mon, 23 Mar 2015 17:50:27 +0000 |
| Subject: spi: spidev: fix possible arithmetic overflow for multi-transfer message |
| |
| From: Ian Abbott <abbotti@mev.co.uk> |
| |
| commit f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 upstream. |
| |
| `spidev_message()` sums the lengths of the individual SPI transfers to |
| determine the overall SPI message length. It restricts the total |
| length, returning an error if too long, but it does not check for |
| arithmetic overflow. For example, if the SPI message consisted of two |
| transfers and the first has a length of 10 and the second has a length |
| of (__u32)(-1), the total length would be seen as 9, even though the |
| second transfer is actually very long. If the second transfer specifies |
| a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could |
| overrun the spidev's pre-allocated tx buffer before it reaches an |
| invalid user memory address. Fix it by checking that neither the total |
| nor the individual transfer lengths exceed the maximum allowed value. |
| |
| Thanks to Dan Carpenter for reporting the potential integer overflow. |
| |
| Signed-off-by: Ian Abbott <abbotti@mev.co.uk> |
| Signed-off-by: Mark Brown <broonie@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/spi/spidev.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/spi/spidev.c |
| +++ b/drivers/spi/spidev.c |
| @@ -243,7 +243,10 @@ static int spidev_message(struct spidev_ |
| k_tmp->len = u_tmp->len; |
| |
| total += k_tmp->len; |
| - if (total > bufsiz) { |
| + /* Check total length of transfers. Also check each |
| + * transfer length to avoid arithmetic overflow. |
| + */ |
| + if (total > bufsiz || k_tmp->len > bufsiz) { |
| status = -EMSGSIZE; |
| goto done; |
| } |
