Re: [PATCH] macintosh:fix oob read in do_adb_query function

t; req->data[2]].original_address" and "adb_handler[ > req->data[2]].handler_id" will lead to oob read. > > > [...] Applied to powerpc/next. [1/1] macintosh:fix oob read in do_adb_query function https://git.kernel.org/powerpc/c/fd97e4ad6d3b0c9fce3bca8ea8e6969d9ce7423b cheers

Re: [PATCH] macintosh:fix oob read in do_adb_query function

On Wed, 2022-07-13 at 11:53 -0700, Kees Cook wrote: > On Wed, Jul 13, 2022 at 11:37:34PM +0800, Ning Qiang wrote: > > In do_adb_query function of drivers/macintosh/adb.c, req->data is > > copy > > form userland. the parameter "req->data[2]" is Missing check, the > > array size of adb_handler[] is

Re: [PATCH] macintosh:fix oob read in do_adb_query function

On Wed, 2022-07-13 at 23:37 +0800, Ning Qiang wrote: > In do_adb_query function of drivers/macintosh/adb.c, req->data is > copy > form userland. the parameter "req->data[2]" is Missing check, the > array size of adb_handler[] is 16, so "adb_handler[ > req->data[2]].original_address" and

Re: [PATCH] macintosh:fix oob read in do_adb_query function

On Wed, Jul 13, 2022 at 11:37:34PM +0800, Ning Qiang wrote: > In do_adb_query function of drivers/macintosh/adb.c, req->data is copy > form userland. the parameter "req->data[2]" is Missing check, the > array size of adb_handler[] is 16, so "adb_handler[ > req->data[2]].original_address" and

Re: [PATCH] macintosh:fix oob read in do_adb_query function

On Wed, Jul 13, 2022 at 11:37:34PM +0800, Ning Qiang wrote: > In do_adb_query function of drivers/macintosh/adb.c, req->data is copy > form userland. the parameter "req->data[2]" is Missing check, the > array size of adb_handler[] is 16, so "adb_handler[ > req->data[2]].original_address" and

[PATCH] macintosh:fix oob read in do_adb_query function

In do_adb_query function of drivers/macintosh/adb.c, req->data is copy form userland. the parameter "req->data[2]" is Missing check, the array size of adb_handler[] is 16, so "adb_handler[ req->data[2]].original_address" and "adb_handler[ req->data[2]].handler_id" will lead to oob read.

[PATCH] macintosh:fix oob read in do_adb_query function

From: sohu0106 In do_adb_query function of drivers/macintosh/adb.c, req->data is copy form userland. The parameter "req->data[2]" is Missing check, the array size of adb_handler[] is 16, so "adb_handler[req->data[2]]. original_address" and "adb_handler[req->data[2]]. handler_id" will lead to oob

Re: [PATCH] macintosh:fix oob read in do_adb_query function

On Wed, Jul 13, 2022 at 09:40:37PM +0800, NAME wrote: > From: sohu0106 For obvious reasons, we need a real name here, and in the signed-off-by line. > In do_adb_query function of drivers/macintosh/adb.c, > req->data is copy form userland. The parameter > "req->data[2]" is Missing check, the

oob read in do_adb_query function

In do_adb_query function of drivers/macintosh/adb.c, req->data is copy form userland. the parameter "req->data[2]" is Missing check, the array size of adb_handler[] is 16, so "adb_handler[req->data[2]].original_address" and "adb_handler[req->data[2]].handler_id" will lead to oob read.  

Re: oob read in do_adb_query function

On Wed, 2022-07-13 at 09:54 +0800, sohu0106 wrote: > > > In do_adb_query function of drivers/macintosh/adb.c, req->data is > copy form userland. the parameter "req->data[2]" is Missing check, > the array size of adb_handler[] is 16, so "adb_handler[req- > >data[2]].original_address" and