linux/drivers
Ian Abbott f20fbaad76 spi: spidev: fix possible arithmetic overflow for multi-transfer message
`spidev_message()` sums the lengths of the individual SPI transfers to
determine the overall SPI message length.  It restricts the total
length, returning an error if too long, but it does not check for
arithmetic overflow.  For example, if the SPI message consisted of two
transfers and the first has a length of 10 and the second has a length
of (__u32)(-1), the total length would be seen as 9, even though the
second transfer is actually very long.  If the second transfer specifies
a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
overrun the spidev's pre-allocated tx buffer before it reaches an
invalid user memory address.  Fix it by checking that neither the total
nor the individual transfer lengths exceed the maximum allowed value.

Thanks to Dan Carpenter for reporting the potential integer overflow.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
2015-03-23 14:00:51 -07:00
..
accessibility
acpi Additional power management and ACPI updates for v3.20-rc1 2015-02-21 13:40:41 -08:00
amba ARM: 8256/1: driver coamba: add device binding path 'driver_override' 2015-02-10 10:23:15 +00:00
android
ata Merge branch 'for-3.20/drivers' of git://git.kernel.dk/linux-block 2015-02-12 14:30:53 -08:00
atm
auxdisplay
base driver core patches for 3.20-rc1 2015-02-15 11:11:47 -08:00
bcma
block Merge branch 'for-3.20' of git://git.infradead.org/users/kbusch/linux-nvme into for-linus 2015-02-20 22:12:02 -08:00
bluetooth TTY/Serial driver patches for 3.20-rc1 2015-02-15 11:37:02 -08:00
bus ARM: SoC platform changes 2015-02-17 09:27:54 -08:00
cdrom
char ipmi: Fix a memory ordering issue 2015-02-19 20:58:42 -06:00
clk The clock framework changes for 3.20 contain the usual driver additions, 2015-02-21 12:30:30 -08:00
clocksource ARM: SoC platform changes 2015-02-17 09:27:54 -08:00
connector
coresight
cpufreq Additional power management and ACPI updates for v3.20-rc1 2015-02-21 13:40:41 -08:00
cpuidle Merge branches 'pnp', 'pm-cpuidle' and 'pm-cpufreq' 2015-02-21 04:29:16 +01:00
crypto Merge branch 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma 2015-02-18 08:49:20 -08:00
dca
devfreq Merge branches 'pm-cpufreq', 'pm-cpuidle', 'pm-devfreq', 'pm-opp' and 'pm-tools' 2015-02-13 21:39:06 +01:00
dio
dma Merge branch 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma 2015-02-18 08:49:20 -08:00
dma-buf
edac * A fix to sb_edac for proper detection on SNB machines 2015-02-19 11:18:14 -08:00
eisa
extcon
firewire
firmware Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-02-21 10:41:29 -08:00
fmc
gpio Merge branch 'for-linus' of git://ftp.arm.linux.org.uk/~rmk/linux-arm 2015-02-12 08:51:56 -08:00
gpu Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2015-02-16 15:48:00 -08:00
hid Merge branches 'for-3.19/upstream-fixes', 'for-3.20/apple', 'for-3.20/betop', 'for-3.20/lenovo', 'for-3.20/logitech', 'for-3.20/rmi', 'for-3.20/upstream' and 'for-3.20/wacom' into for-linus 2015-02-09 11:17:45 +01:00
hsi
hv Char / Misc patches for 3.20-rc1 2015-02-15 10:48:44 -08:00
hwmon Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
hwspinlock
i2c Merge branch 'i2c/for-3.20' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2015-02-21 12:41:50 -08:00
ide
idle intel_idle: Add ->enter_freeze callbacks 2015-02-15 19:40:09 +01:00
iio Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
infiniband Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-02-22 17:42:14 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-02-21 12:59:04 -08:00
iommu IOMMU Updates for Linux v3.20 2015-02-12 09:16:56 -08:00
ipack
irqchip Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-02-21 19:41:38 -08:00
isdn Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
leds
lguest OK, this has the big virtio 1.0 implementation, as specified by OASIS. 2015-02-18 09:24:01 -08:00
macintosh
mailbox Merge branch 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2015-02-11 12:56:40 -08:00
mcb
md - Significant dm-crypt CPU scalability performance improvements thanks 2015-02-21 13:28:45 -08:00
media mm: gup: use get_user_pages_unlocked 2015-02-11 17:06:05 -08:00
memory
memstick
message
mfd Changes to existing drivers: 2015-02-18 09:05:48 -08:00
misc Char / Misc patches for 3.20-rc1 2015-02-15 10:48:44 -08:00
mmc The clock framework changes for 3.20 contain the usual driver additions, 2015-02-21 12:30:30 -08:00
mtd MTD updates for 3.20-rc1 2015-02-18 08:01:44 -08:00
net Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
nfc
ntb
nubus
of PCI updates for v3.20: 2015-02-18 09:43:46 -08:00
oprofile
parisc
parport
pci Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
pcmcia ARM: SoC driver updates 2015-02-17 09:38:59 -08:00
phy USB patches for 3.20-rc1 2015-02-15 10:24:55 -08:00
pinctrl This is the bulk of pin control changes for the v3.20 cycle: 2015-02-11 11:23:13 -08:00
platform Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-02-21 11:12:07 -08:00
pnp Merge branches 'pnp', 'pm-cpuidle' and 'pm-cpufreq' 2015-02-21 04:29:16 +01:00
power
powercap
pps
ps3
ptp
pwm pwm: tegra: Use NSEC_PER_SEC 2015-02-18 08:40:29 +01:00
rapidio Merge branch 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma 2015-02-18 08:49:20 -08:00
ras
regulator Changes to existing drivers: 2015-02-18 09:05:48 -08:00
remoteproc
reset
rpmsg
rtc Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
s390 Fairly small update, but there are some interesting new features. 2015-02-13 09:55:09 -08:00
sbus
scsi SCSI misc on 20150221 2015-02-21 19:16:42 -08:00
sfi
sh
sn
soc ARM: SoC driver updates 2015-02-17 09:38:59 -08:00
spi spi: spidev: fix possible arithmetic overflow for multi-transfer message 2015-03-23 14:00:51 -07:00
spmi
ssb treewide: Remove unnecessary SSB_DEVTABLE_END macro 2015-02-11 14:38:29 -08:00
staging Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-02-22 17:42:14 -08:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-02-21 13:21:19 -08:00
tc
thermal thermal: exynos: fix: Check if data->tmu_read callback is present before read 2015-02-20 21:57:02 +08:00
thunderbolt
tty Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
uio
usb Merge branch 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2015-02-19 10:36:45 -08:00
uwb USB patches for 3.20-rc1 2015-02-15 10:24:55 -08:00
vfio vfio-pci: Add device request interface 2015-02-10 12:38:14 -07:00
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-02-21 13:21:19 -08:00
video mm: gup: use get_user_pages_unlocked 2015-02-11 17:06:05 -08:00
virt
virtio virtio: don't set VIRTIO_CONFIG_S_DRIVER_OK twice. 2015-02-17 16:19:29 +10:30
vlynq
vme
w1
watchdog watchdog: bcm47xx_wdt.c: allow enabling on BCM5301X arch 2015-02-17 21:34:13 +01:00
xen SCSI misc on 20150209 2015-02-11 10:28:45 -08:00
zorro
Kconfig
Makefile