Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Dirsch <sndirsch@suse.de>2018-07-05 14:35:34 +0200
committerStefan Dirsch <sndirsch@suse.de>2018-07-07 20:33:13 +0200
commitcef968addcfdfc5792e29536e7a49a39872877b3 (patch)
tree4919bd95dbc59d5bab57915a56d614343b1eb499
parentb81ce5894988ebc1a4295c6ae9d2500a85580076 (diff)
video: fbdev: uvesafb: Fix integer overflow in allocation
(bsc#1100418, CVE-2018-13406)
-rw-r--r--patches.fixes/0001-video-uvesafb-Fix-integer-overflow-in-allocation.patch37
-rw-r--r--series.conf1
2 files changed, 38 insertions, 0 deletions
diff --git a/patches.fixes/0001-video-uvesafb-Fix-integer-overflow-in-allocation.patch b/patches.fixes/0001-video-uvesafb-Fix-integer-overflow-in-allocation.patch
new file mode 100644
index 0000000000..42500efe39
--- /dev/null
+++ b/patches.fixes/0001-video-uvesafb-Fix-integer-overflow-in-allocation.patch
@@ -0,0 +1,37 @@
+From 9f645bcc566a1e9f921bdae7528a01ced5bc3713 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 11 May 2018 18:24:12 +1000
+Subject: [PATCH] video: fbdev: uvesafb: Fix integer overflow in allocation
+References: bsc#1100418, CVE-2018-13406
+Patch-mainline: v4.17
+Git-commit: 9f645bcc566a1e9f921bdae7528a01ced5bc3713
+
+cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
+allocation. This uses kmalloc_array() instead to catch the condition.
+
+Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
+Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Stefan Dirsch <sndirsch@suse.de>
+---
+ drivers/video/fbdev/uvesafb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
+index 73676eb0244a..c592ca513115 100644
+--- a/drivers/video/fbdev/uvesafb.c
++++ b/drivers/video/fbdev/uvesafb.c
+@@ -1044,7 +1044,8 @@ static int uvesafb_setcmap(struct fb_cmap *cmap, struct fb_info *info)
+ info->cmap.len || cmap->start < info->cmap.start)
+ return -EINVAL;
+
+- entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL);
++ entries = kmalloc_array(cmap->len, sizeof(*entries),
++ GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
+
+--
+2.16.3
+
diff --git a/series.conf b/series.conf
index bb04c47b0a..47ce15ea2c 100644
--- a/series.conf
+++ b/series.conf
@@ -4151,6 +4151,7 @@
patches.drivers/drm-vmwgfx-Support-topology-greater-than-texture-siz
patches.drivers/drm-vmwgfx-Fix-large-topology-crash
patches.drivers/drm-vmwgfx-Limit-max-desktop-dimensions-to-8Kx8K
+ patches.fixes/0001-video-uvesafb-Fix-integer-overflow-in-allocation.patch
########################################################
# video4linux