http://bugzilla.opensuse.org/show_bug.cgi?id=1021294 Bug ID: 1021294 Summary: VUL-0: kernel-source: vc4: int overflow leading to heap-based buffer overflow Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/165 =============================================== This issue affects the VC4_SUBMIT_CL IOCTL in the VideoCore DRM driver, so probably only affects devices like the Raspberry Pi. Quoting from Eric Anholt's post: "We copy the unvalidated ioctl arguments from the user into kernel temporary memory to run the validation from, to avoid a race where the user updates the unvalidate contents in between validating them and copying them into the validated BO. However, in setting up the layout of the kernel side, we failed to check one of the additions (the roundup() for shader_rec_offset) against integer overflow, allowing a nearly MAX_UINT value of bin_cl_size to cause us to under-allocate the temporary space that we then copy_from_user into." https://lkml.org/lkml/2017/1/17/761 https://lkml.org/lkml/2017/1/17/759 (discovered by Ingo Molnar) =============================================== -- You are receiving this mail because: You are on the CC list for the bug.