forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Ian Abbott 14a1fe5de9 spi: spidev: fix possible arithmetic overflow for multi-transfer message 
commit f20fbaad76 upstream.

`spidev_message()` sums the lengths of the individual SPI transfers to
determine the overall SPI message length.  It restricts the total
length, returning an error if too long, but it does not check for
arithmetic overflow.  For example, if the SPI message consisted of two
transfers and the first has a length of 10 and the second has a length
of (__u32)(-1), the total length would be seen as 9, even though the
second transfer is actually very long.  If the second transfer specifies
a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
overrun the spidev's pre-allocated tx buffer before it reaches an
invalid user memory address.  Fix it by checking that neither the total
nor the individual transfer lengths exceed the maximum allowed value.

Thanks to Dan Carpenter for reporting the potential integer overflow.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-06 21:56:21 +02:00
..
accessibility
acpi cpuidle: ACPI: do not overwrite name and description of C0 2015-04-19 10:10:49 +02:00
amba
ata sata_dwc_460ex: fix resource leak on error path 2015-01-29 17:40:56 -08:00
atm atm: idt77252: fix dev refcnt leak 2013-12-08 07:29:25 -08:00
auxdisplay
base driver core: Fix unbalanced device reference in drivers_probe 2015-01-16 06:59:01 -08:00
bcma
block nbd: fix possible memory leak 2015-04-19 10:10:47 +02:00
bluetooth Bluetooth: Ignore isochronous endpoints for Intel USB bootloader 2015-04-29 10:33:59 +02:00
bus bus: mvebu-mbus: fix support of MBus window 13 2015-01-29 17:40:56 -08:00
cdrom
char tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send 2015-03-26 15:00:58 +01:00
clk clk: sunxi: Support factor clocks with N factor starting not from 0 2015-03-18 13:22:34 +01:00
clocksource clocksource: exynos_mct: Fix bitmask regression for exynos4_mct_write 2015-01-29 17:40:56 -08:00
connector net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-06-26 15:12:37 -04:00
cpufreq cpufreq: speedstep-smi: enable interrupts when waiting 2015-03-06 14:40:48 -08:00
cpuidle cpuidle: Check the result of cpuidle_get_driver() against NULL 2014-04-14 06:42:15 -07:00
crypto crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
dca
devfreq
dio
dma dmaengine: omap-dma: Fix memory leak when terminating running transfer 2015-04-19 10:10:49 +02:00
edac sb_edac: avoid INTERNAL ERROR message in EDAC with unspecified channel 2015-04-29 10:34:01 +02:00
eisa Revert "EISA: Initialize device before its resources" 2014-02-13 13:47:59 -08:00
extcon extcon: max77693: Fix two NULL pointer exceptions on missing pdata 2014-07-06 18:54:15 -07:00
firewire firewire: cdev: prevent kernel stack leaking into ioctl arguments 2014-11-21 09:22:53 -08:00
firmware efi-pstore: Make efi-pstore return a unique id 2015-02-05 22:35:40 -08:00
gpio gpio: tps65912: fix wrong container_of arguments 2015-03-06 14:40:52 -08:00
gpu radeon: Do not directly dereference pointers to BIOS area. 2015-04-19 10:10:48 +02:00
hid HID: fixup the conflicting keyboard mappings quirk 2015-03-18 13:22:35 +01:00
hsi
hv Drivers: hv: vmbus: incorrect device name is printed when child device is unregistered 2015-03-18 13:22:35 +01:00
hwmon hwmon: (dme1737) Prevent overflow problem when writing large limits 2014-09-05 16:28:35 -07:00
hwspinlock
i2c i2c: davinci: generate STP always when NACK is received 2014-12-16 09:09:42 -08:00
ide
idle x86 idle: Repair large-server 50-watt idle-power regression 2014-01-09 12:24:21 -08:00
iio iio: imu: Use iio_trigger_get for indio_dev->trig assignment 2015-04-19 10:10:49 +02:00
infiniband IB/mlx4: Saturate RoCE port PMA counters in case of overflow 2015-04-19 10:10:50 +02:00
input Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) 2015-02-05 22:35:36 -08:00
iommu iommu/vt-d: Fix an off-by-one bug in __domain_mapping() 2015-01-16 06:59:01 -08:00
ipack
irqchip irqchip: gic: Fix core ID calculation when topology is read from DT 2014-07-28 08:00:06 -07:00
isdn isdnloop: several buffer overflows 2014-04-14 06:42:18 -07:00
leds leds: leds-pwm: properly clean up after probe failure 2014-06-07 13:25:34 -07:00
lguest x86, flags: Rename X86_EFLAGS_BIT1 to X86_EFLAGS_FIXED 2014-11-14 08:47:54 -08:00
macintosh
mailbox
md dm: hold suspend_lock while suspending device during device deletion 2015-04-13 14:02:12 +02:00
media media: s5p-mfc: fix mmap support for 64bit arch 2015-04-19 10:10:50 +02:00
memory
memstick
message mptfusion: enable no_write_same for vmware scsi disks 2014-10-30 09:35:10 -07:00
mfd mfd: tc6393xb: Fail ohci suspend if full state restore is required 2015-01-08 09:58:15 -08:00
misc mei: bus: fix possible boundaries violation 2014-11-21 09:22:55 -08:00
mmc mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles 2015-03-06 14:40:49 -08:00
mtd UBI: Fix double free after do_sync_erase() 2015-01-16 06:59:01 -08:00
net benet: Call dev_kfree_skby_any instead of kfree_skb. 2015-04-29 10:33:57 +02:00
nfc NFC: microread: Potential overflows in microread_target_discovered() 2014-10-05 14:54:12 -07:00
ntb NTB: Correct debugfs to work with more than 1 NTB Device 2013-11-13 12:05:35 +09:00
nubus
of of/base: Fix PowerPC address parsing hack 2014-12-06 15:05:47 -08:00
oprofile
parisc
parport parport: parport_pc: remove double PCI ID for NetMos 2014-02-06 11:08:15 -08:00
pci PCI: Fix infinite loop with ROM image of size 0 2015-03-06 14:40:48 -08:00
pcmcia
pinctrl pinctrl: Fix two deadlocks 2015-01-29 17:40:55 -08:00
platform hp_accel: Add support for HP ZBook 15 2015-01-27 07:52:31 -08:00
pnp PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures 2014-03-23 21:38:22 -07:00
power power_supply: 88pm860x: Fix leaked power supply on probe fail 2015-03-06 14:40:49 -08:00
pps
ps3
ptp
pwm
rapidio rapidio/tsi721_dma: fix failure to obtain transaction descriptor 2014-08-07 14:30:25 -07:00
regulator regulator: core: Fix enable GPIO reference counting 2015-03-26 15:00:59 +01:00
remoteproc
reset
rpmsg
rtc rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq 2014-06-26 15:12:37 -04:00
s390 crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
sbus bbc-i2c: Fix BBC I2C envctrl on SunBlade 2000 2014-08-14 09:24:16 +08:00
scsi be2iscsi: Fix kernel panic when device initialization fails 2015-04-19 10:10:50 +02:00
sfi
sh
sn
spi spi: spidev: fix possible arithmetic overflow for multi-transfer message 2015-05-06 21:56:21 +02:00
ssb
ssbi
staging vt6655: RFbSetPower fix missing rate RATE_12M 2015-04-13 14:02:12 +02:00
target iscsi target: fix oops when adding reject pdu 2015-04-19 10:10:50 +02:00
tc
thermal
tty serial: 8250_dw: Fix deadlock in LCR workaround 2015-04-29 10:33:57 +02:00
uio Fix a few incorrectly checked [io_]remap_pfn_range() calls 2013-11-13 12:05:33 +09:00
usb cdc-wdm: fix endianness bug in debug statements 2015-05-06 21:56:21 +02:00
uwb
vfio vfio-pci: Fix the check on pci device type in vfio_pci_probe() 2015-01-27 07:52:32 -08:00
vhost vhost-scsi: Add missing virtio-scsi -> TCM attribute conversion 2015-02-05 22:35:40 -08:00
video video/logo: prevent use of logos after they have been freed 2015-01-27 07:52:31 -08:00
virt
virtio virtio_pci: fix virtio spec compliance on restore 2014-11-14 08:47:55 -08:00
vlynq
vme VME: Correct read/write alignment algorithm 2014-02-22 12:41:28 -08:00
w1 w1: fix w1_send_slave dropping a slave id 2014-05-06 07:55:28 -07:00
watchdog watchdog: ath79_wdt: avoid spurious restarts on AR934x 2014-07-06 18:54:14 -07:00
xen xen-pciback: limit guest control of command register 2015-03-26 15:00:59 +01:00
zorro
Kconfig
Makefile