Re: [PATCH] staging: speakup: fix wraparound in uaccess length check
From: Greg Kroah-Hartman
Date: Sat Jul 07 2018 - 04:01:45 EST
On Sat, Jul 07, 2018 at 03:53:44AM +0200, Jann Horn wrote:
> If softsynthx_read() is called with `count < 3`, `count - 3` wraps, causing
> the loop to copy as much data as available to the provided buffer. If
> softsynthx_read() is invoked through sys_splice(), this causes an
> unbounded kernel write; but even when userspace just reads from it
> normally, a small size could cause userspace crashes.
>
> Fixes: 425e586cf95b ("speakup: add unicode variant of /dev/softsynth")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
> ---
>
> Reproducer (kernel overflows userspace stack, resulting in segfault):
Nice find, thanks for the patch!
greg k-h