oss-sec mailing list archives
Re: stack buffer overflow in fbdev
From: Linus Torvalds <torvalds () linux-foundation org>
Date: Tue, 23 Jul 2019 10:08:17 -0700
On Sat, Jul 20, 2019 at 5:35 PM Tavis Ormandy <taviso () gmail com> wrote:
There is enough space to have 52 1-byte length values, which makes svd_n 52, then make the final value length 0x1f (the maximum), which makes svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled data. This requires a malicious monitor / projector / etc, so pretty low impact.
Ok, so I went back all the way to 3.16, and in 4.4 and earlier the only user of fb_edid_add_monspecs() was that SH-Mobile SoCs driver that got removed for no use. So I think we can ignore this even for stable kernels, and I'll get the pull request that removes the function entirely some time in the future. Linus
Current thread:
- stack buffer overflow in fbdev Tavis Ormandy (Jul 19)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 21)
- Re: stack buffer overflow in fbdev Daniel Vetter (Jul 22)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 22)
- Re: stack buffer overflow in fbdev Bartlomiej Zolnierkiewicz (Jul 22)
- Re: stack buffer overflow in fbdev Daniel Vetter (Jul 23)
- Re: stack buffer overflow in fbdev Daniel Vetter (Jul 22)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 21)
- Re: stack buffer overflow in fbdev Linus Torvalds (Jul 23)