Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-10-15 17:58:55 +0200
committerTakashi Iwai <tiwai@suse.de>2018-10-15 17:58:55 +0200
commit680b1506f519bfa6c8afec929d0ca37ad5cc85c9 (patch)
tree3c2dbb03b84643d3af66fd6c8e1aa7833461cf1d
parent6f8d9b681148b05d06ea9456e231839ac8b4f5f8 (diff)
stm: Potential read overflow in stm_char_policy_set_ioctl()
(bsc#1051510).
-rw-r--r--patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch36
-rw-r--r--series.conf1
2 files changed, 37 insertions, 0 deletions
diff --git a/patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch b/patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch
new file mode 100644
index 0000000000..673dfb565f
--- /dev/null
+++ b/patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch
@@ -0,0 +1,36 @@
+From 71c488f32b071bfb5cfe9ddf682cd2e0c310c75d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 10 Aug 2017 15:45:10 +0300
+Subject: [PATCH] stm: Potential read overflow in stm_char_policy_set_ioctl()
+Git-commit: 71c488f32b071bfb5cfe9ddf682cd2e0c310c75d
+Patch-mainline: v4.14-rc1
+References: bsc#1051510
+
+The "size" variable comes from the user so we need to verify that it's
+large enough to hold an stp_policy_id struct.
+
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/stm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index 0e731143f6a4..9414900575d8 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -566,7 +566,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
+ if (copy_from_user(&size, arg, sizeof(size)))
+ return -EFAULT;
+
+- if (size >= PATH_MAX + sizeof(*id))
++ if (size < sizeof(*id) || size >= PATH_MAX + sizeof(*id))
+ return -EINVAL;
+
+ /*
+--
+2.19.0
+
diff --git a/series.conf b/series.conf
index ce6b68009f..a05c3e4d14 100644
--- a/series.conf
+++ b/series.conf
@@ -5386,6 +5386,7 @@
patches.drivers/0032-thunderbolt-Make-key-root-only-accessible.patch
patches.drivers/0033-thunderbolt-Allow-clearing-the-key.patch
patches.drivers/0034-thunderbolt-Fix-reset-response_type.patch
+ patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch
patches.drivers/intel_th-pci-Enable-bus-mastering
patches.drivers/intel_th-Output-devices-without-ports-don-t-need-ass
patches.drivers/intel_th-Streamline-the-subdevice-tree-accessors