macintosh:fix oob read in do_adb_query function

Message ID	20220713134037.2331-1-sohu0106@126.com (mailing list archive)
State	Superseded, archived
Headers	show Return-Path: <linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: NAME <sohu0106@126.com> To: benh@kernel.crashing.org, sohu0106@126.com Subject: [PATCH] macintosh:fix oob read in do_adb_query function Date: Wed, 13 Jul 2022 21:40:37 +0800 Message-Id: <20220713134037.2331-1-sohu0106@126.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: security@kernel.org, linuxppc-dev@lists.ozlabs.org Errors-To: linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" <linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	macintosh:fix oob read in do_adb_query function \| expand macintosh:fix oob read in do_adb_query function

Message ID

20220713134037.2331-1-sohu0106@126.com (mailing list archive)

State

Superseded, archived

Headers

From: NAME <sohu0106@126.com>
To: benh@kernel.crashing.org,
	sohu0106@126.com
Subject: [PATCH] macintosh:fix oob read in do_adb_query function
Date: Wed, 13 Jul 2022 21:40:37 +0800
Message-Id: <20220713134037.2331-1-sohu0106@126.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Cc: security@kernel.org, linuxppc-dev@lists.ozlabs.org
Errors-To: linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
 <linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

macintosh:fix oob read in do_adb_query function | expand

Checks

Context	Check	Description
snowpatch_ozlabs/github-powerpc_clang	success	Successfully ran 7 jobs.
snowpatch_ozlabs/github-powerpc_sparse	success	Successfully ran 4 jobs.
snowpatch_ozlabs/github-powerpc_kernel_qemu	success	Successfully ran 23 jobs.

Context

Check

Description

snowpatch_ozlabs/github-powerpc_clang

success

Successfully ran 7 jobs.

snowpatch_ozlabs/github-powerpc_sparse

success

Successfully ran 4 jobs.

snowpatch_ozlabs/github-powerpc_kernel_qemu

success

Successfully ran 23 jobs.

Commit Message

Ning Qiang July 13, 2022, 1:40 p.m. UTC

From: sohu0106 <sohu0106@126.com>

In do_adb_query function of drivers/macintosh/adb.c,
req->data is copy form userland. The parameter
"req->data[2]" is Missing check, the array size of
adb_handler[] is 16, so "adb_handler[req->data[2]].
original_address" and "adb_handler[req->data[2]].
handler_id" will lead to oob read.

Signed-off-by: sohu0106 <sohu0106@126.com>
---
 drivers/macintosh/adb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c
index 439fab4eaa85..1bbb9ca08d40 100644
--- a/drivers/macintosh/adb.c
+++ b/drivers/macintosh/adb.c
@@ -647,7 +647,7 @@  do_adb_query(struct adb_request *req)
 
 	switch(req->data[1]) {
 	case ADB_QUERY_GETDEVINFO:
-		if (req->nbytes < 3)
+		if (req->nbytes < 3 || req->data[2] >= 16)
 			break;
 		mutex_lock(&adb_handler_mutex);
 		req->reply[0] = adb_handler[req->data[2]].original_address;

macintosh:fix oob read in do_adb_query function

Checks

Commit Message

Patch