diff options
author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2018-07-13 00:29:36 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-07-16 10:04:11 +0200 |
commit | b96fba8d5855c3617adbfb43ca4723a808cac954 (patch) | |
tree | 893160b3923fce357d34268d3b0bdcce6f2e91e3 /crypto/crypto_wq.c | |
parent | eb37430d402de7d1cb2f37a5fdc80620dd98dc1d (diff) |
staging: speakup: fix wraparound in uaccess length check
If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing
the loop to copy as much data as available to the provided buffer. If
softsynthx_read() is invoked through sys_splice(), this causes an
unbounded kernel write; but even when userspace just reads from it
normally, a small size could cause userspace crashes.
Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth")
Cc: stable@vger.kernel.org
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto/crypto_wq.c')
0 files changed, 0 insertions, 0 deletions