From a4a2149c43873cebf8c466db8ae88dd1e805684f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 19 Mar 2021 10:46:46 +0100 Subject: [PATCH] 4.4-stable patches added patches: platform-chrome-cros_ec_dev-fix-security-issue.patch --- ...hrome-cros_ec_dev-fix-security-issue.patch | 69 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 70 insertions(+) create mode 100644 queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch diff --git a/queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch b/queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch new file mode 100644 index 00000000000..35e20291350 --- /dev/null +++ b/queue-4.4/platform-chrome-cros_ec_dev-fix-security-issue.patch @@ -0,0 +1,69 @@ +From 5d749d0bbe811c10d9048cde6dfebc761713abfd Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Tue, 8 Mar 2016 09:13:52 -0800 +Subject: platform/chrome: cros_ec_dev - Fix security issue + +From: Gwendal Grignou + +commit 5d749d0bbe811c10d9048cde6dfebc761713abfd upstream. + +Prevent memory scribble by checking that ioctl buffer size parameters +are sane. +Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and +.outsize the amount to scribble, we would overflow, allocate a small +amounts and be able to write outside of the malloc'ed area. +Adding a hard limit allows argument checking of the ioctl. With the +current EC, it is expected .insize and .outsize to be at around 512 bytes +or less. + +Signed-off-by: Gwendal Grignou +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_dev.c | 4 ++++ + drivers/platform/chrome/cros_ec_proto.c | 4 ++-- + include/linux/mfd/cros_ec.h | 6 ++++-- + 3 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/platform/chrome/cros_ec_dev.c ++++ b/drivers/platform/chrome/cros_ec_dev.c +@@ -137,6 +137,10 @@ static long ec_device_ioctl_xcmd(struct + if (copy_from_user(&u_cmd, arg, sizeof(u_cmd))) + return -EFAULT; + ++ if ((u_cmd.outsize > EC_MAX_MSG_BYTES) || ++ (u_cmd.insize > EC_MAX_MSG_BYTES)) ++ return -EINVAL; ++ + s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), + GFP_KERNEL); + if (!s_cmd) +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -311,8 +311,8 @@ int cros_ec_query_all(struct cros_ec_dev + ec_dev->max_response = EC_PROTO2_MAX_PARAM_SIZE; + ec_dev->max_passthru = 0; + ec_dev->pkt_xfer = NULL; +- ec_dev->din_size = EC_MSG_BYTES; +- ec_dev->dout_size = EC_MSG_BYTES; ++ ec_dev->din_size = EC_PROTO2_MSG_BYTES; ++ ec_dev->dout_size = EC_PROTO2_MSG_BYTES; + } else { + /* + * It's possible for a test to occur too early when +--- a/include/linux/mfd/cros_ec.h ++++ b/include/linux/mfd/cros_ec.h +@@ -50,9 +50,11 @@ enum { + EC_MSG_TX_TRAILER_BYTES, + EC_MSG_RX_PROTO_BYTES = 3, + +- /* Max length of messages */ +- EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE + ++ /* Max length of messages for proto 2*/ ++ EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE + + EC_MSG_TX_PROTO_BYTES, ++ ++ EC_MAX_MSG_BYTES = 64 * 1024, + }; + + /* diff --git a/queue-4.4/series b/queue-4.4/series index 09a51753b89..62a2afef812 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,3 +1,4 @@ ext4-handle-error-of-ext4_setup_system_zone-on-remount.patch ext4-don-t-allow-overlapping-system-zones.patch ext4-check-journal-inode-extents-more-carefully.patch +platform-chrome-cros_ec_dev-fix-security-issue.patch -- 2.47.3