From patchwork Wed Jul 13 01:54:48 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Ning Qiang <sohu0106@126.com>
X-Patchwork-Id: 1655740
Return-Path: 
 <linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=126.com header.i=@126.com header.a=rsa-sha256
 header.s=s110527 header.b=poRk+tv1;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org;
 envelope-from=linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Received: from lists.ozlabs.org (lists.ozlabs.org
 [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LjPLZ3DDYz9ryY
	for <incoming@patchwork.ozlabs.org>; Wed, 13 Jul 2022 14:11:01 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4LjPLY23d6z3c3b
	for <incoming@patchwork.ozlabs.org>; Wed, 13 Jul 2022 14:11:01 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=126.com header.i=@126.com header.a=rsa-sha256
 header.s=s110527 header.b=poRk+tv1;
	dkim-atps=neutral
X-Original-To: linuxppc-dev@lists.ozlabs.org
Delivered-To: linuxppc-dev@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=126.com
 (client-ip=220.181.15.50; helo=m1550.mail.126.com;
 envelope-from=sohu0106@126.com; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=126.com header.i=@126.com header.a=rsa-sha256
 header.s=s110527 header.b=poRk+tv1;
	dkim-atps=neutral
X-Greylist: delayed 1815 seconds by postgrey-1.36 at boromir;
 Wed, 13 Jul 2022 12:25:44 AEST
Received: from m1550.mail.126.com (m1550.mail.126.com [220.181.15.50])
	by lists.ozlabs.org (Postfix) with ESMTP id 4LjM1431mrz3bd4
	for <linuxppc-dev@lists.ozlabs.org>; Wed, 13 Jul 2022 12:25:37 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=126.com;
	s=s110527; h=Date:From:Subject:MIME-Version:Message-ID; bh=W0wq7
	GTPotg1DU8WbdSb5c+FUzRagdSiIqlSYDd5/Us=; b=poRk+tv1sGcbjFdLBoFQ7
	9zIaZ2aKC45Xd+13imDGhTtzs511yNaWGjj+et2V3UojoMdexmFSzdsjx2zEUSCq
	YnM2kw+zBkyFqWaKif/8usNUUcDTrbfjzXCLarVvyuVhJ6KHnhBMFKfnDbXP/h9J
	0g+ZjftwBdiM7rS4wAWVkc=
Received: from sohu0106$126.com ( [119.3.119.21] ) by ajax-webmail-wmsvr50
 (Coremail) ; Wed, 13 Jul 2022 09:54:48 +0800 (CST)
X-Originating-IP: [119.3.119.21]
Date: Wed, 13 Jul 2022 09:54:48 +0800 (CST)
From: sohu0106 <sohu0106@126.com>
To: benh@kernel.crashing.org
Subject: oob read in do_adb_query function
X-Priority: 3
X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20220113(9671e152)
 Copyright (c) 2002-2022 www.mailtech.cn 126com
MIME-Version: 1.0
Message-ID: <74db5889.1519.181f54412b2.Coremail.sohu0106@126.com>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: MsqowABHnfHpJc5iJElIAA--.2998W
X-CM-SenderInfo: pvrk3iqrqwqiyswou0bp/1tbi7Qk8HlpEAYe-xQADsn
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
X-Mailman-Approved-At: Wed, 13 Jul 2022 14:10:51 +1000
X-BeenThere: linuxppc-dev@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Linux on PowerPC Developers Mail List <linuxppc-dev.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/linuxppc-dev>,
 <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/linuxppc-dev/>
List-Post: <mailto:linuxppc-dev@lists.ozlabs.org>
List-Help: <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/linuxppc-dev>,
 <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=subscribe>
Cc: =?utf-8?b?5YaF5qC45a6J5YWo57uE?= <security@kernel.org>,
 linuxppc-dev@lists.ozlabs.org
Errors-To: linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
 <linuxppc-dev-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

In do_adb_query function of drivers/macintosh/adb.c, req->data is copy form userland. the  parameter "req->data[2]" is Missing check, the array size of adb_handler[] is 16, so "adb_handler[req->data[2]].original_address" and "adb_handler[req->data[2]].handler_id" will lead to oob read.
 


                req->reply[0] = adb_handler[req-

diff --git a/adb.c b/adb.c_patch
index 73b3961..8a5604b 100644
--- a/adb.c
+++ b/adb.c_patch
@@ -647,7 +647,7 @@ do_adb_query(struct adb_request *req)


        switch(req->data[1]) {
        case ADB_QUERY_GETDEVINFO:
-               if (req->nbytes < 3)
+               if (req->nbytes < 3 || req->data[2] > 16)
                        break;
                mutex_lock(&adb_handler_mutex);