[PATCH] staging: speakup: fix wraparound in uaccess length check

Greg Kroah-Hartman gregkh at linuxfoundation.org
Sat Jul 7 08:01:36 UTC 2018


On Sat, Jul 07, 2018 at 03:53:44AM +0200, Jann Horn wrote:
> If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing
> the loop to copy as much data as available to the provided buffer. If
> softsynthx_read() is invoked through sys_splice(), this causes an
> unbounded kernel write; but even when userspace just reads from it
> normally, a small size could cause userspace crashes.
> 
> Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth")
> Cc: stable at vger.kernel.org
> Signed-off-by: Jann Horn <jannh at google.com>
> ---
> 
> Reproducer (kernel overflows userspace stack, resulting in segfault):

Nice find, thanks for the patch!

greg k-h


More information about the devel mailing list