From patchwork Wed Sep 12 07:30:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tomi Valkeinen <tomi.valkeinen@ti.com>
X-Patchwork-Id: 10596903
Return-Path: <linux-fbdev-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F700112B
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
 Wed, 12 Sep 2018 07:31:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 266882992C
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
 Wed, 12 Sep 2018 07:31:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 24DEF29949; Wed, 12 Sep 2018 07:31:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9267229968
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
 Wed, 12 Sep 2018 07:31:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726555AbeILMeu (ORCPT
        <rfc822;patchwork-linux-fbdev@patchwork.kernel.org>);
        Wed, 12 Sep 2018 08:34:50 -0400
Received: from lelv0142.ext.ti.com ([198.47.23.249]:57608 "EHLO
        lelv0142.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726471AbeILMeu (ORCPT
        <rfc822;linux-fbdev@vger.kernel.org>);
        Wed, 12 Sep 2018 08:34:50 -0400
Received: from dflxv15.itg.ti.com ([128.247.5.124])
        by lelv0142.ext.ti.com (8.15.2/8.15.2) with ESMTP id w8C7VKhT116153;
        Wed, 12 Sep 2018 02:31:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com;
        s=ti-com-17Q1; t=1536737480;
        bh=qFFpVKSQduLmOatanslEMa2RD5I9o1dIcv1+FyewjNk=;
        h=From:To:CC:Subject:Date;
        b=B0V6bOgYkvjAbVU5J9PF5F5JCHKoWm6LJDYHGE0L6xNw1zB+Ek11Y0464oH6oMhxq
         uoy3lxKJ5q3fSAx9zD3HBLBOkXUcwSnjpYmb5uzhdwdzr8loUic7C0MNN3d7olU6u6
         ZrQ+ZCyyxviaupR3D0Te4zZlgFFzkCd29ce2wdKk=
Received: from DLEE106.ent.ti.com (dlee106.ent.ti.com [157.170.170.36])
        by dflxv15.itg.ti.com (8.14.3/8.13.8) with ESMTP id w8C7VK35018029;
        Wed, 12 Sep 2018 02:31:20 -0500
Received: from DLEE102.ent.ti.com (157.170.170.32) by DLEE106.ent.ti.com
 (157.170.170.36) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 12
 Sep 2018 02:31:18 -0500
Received: from dlep33.itg.ti.com (157.170.170.75) by DLEE102.ent.ti.com
 (157.170.170.32) with Microsoft SMTP Server (version=TLS1_0,
 cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1466.3 via Frontend Transport;
 Wed, 12 Sep 2018 02:31:18 -0500
Received: from deskari.ti.com (ileax41-snat.itg.ti.com [10.172.224.153])
        by dlep33.itg.ti.com (8.14.3/8.13.8) with ESMTP id w8C7VFpw018587;
        Wed, 12 Sep 2018 02:31:16 -0500
From: Tomi Valkeinen <tomi.valkeinen@ti.com>
To: <linux-fbdev@vger.kernel.org>,
        Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
CC: Tomi Valkeinen <tomi.valkeinen@ti.com>, <stable@vger.kernel.org>,
        <security@kernel.org>, Will Deacon <will.deacon@arm.com>,
        Jann Horn <jannh@google.com>, Tony Lindgren <tony@atomide.com>
Subject: [PATCH] fbdev/omapfb: fix omapfb_memory_read infoleak
Date: Wed, 12 Sep 2018 10:30:46 +0300
Message-ID: <20180912073046.26475-1-tomi.valkeinen@ti.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
Sender: linux-fbdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fbdev.vger.kernel.org>
X-Mailing-List: linux-fbdev@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
them to a userspace buffer. The code has two issues:

- The user provided width and height could be large enough to overflow
  the calculations
- The copy_to_user() can copy uninitialized memory to the userspace,
  which might contain sensitive kernel information.

Fix these by limiting the width & height parameters, and only copying
the amount of data that we actually received from the LCD.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Tony Lindgren <tony@atomide.com>
---
 drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
index ef69273074ba..a3edb20ea4c3 100644
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -496,6 +496,9 @@ static int omapfb_memory_read(struct fb_info *fbi,
 	if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
 		return -EFAULT;
 
+	if (mr->w > 4096 || mr->h > 4096)
+		return -EINVAL;
+
 	if (mr->w * mr->h * 3 > mr->buffer_size)
 		return -EINVAL;
 
@@ -509,7 +512,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
 			mr->x, mr->y, mr->w, mr->h);
 
 	if (r > 0) {
-		if (copy_to_user(mr->buffer, buf, mr->buffer_size))
+		if (copy_to_user(mr->buffer, buf, r))
 			r = -EFAULT;
 	}