[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: stack buffer overflow in fbdev
From:       Linus Torvalds <torvalds () linux-foundation ! org>
Date:       2019-07-23 17:08:17
Message-ID: CAHk-=wggoL7jRHTVxm=XLhtGwCwQ3On=GmqZ01OZpN7JU_072Q () mail ! gmail ! com
[Download RAW message or body]

On Sat, Jul 20, 2019 at 5:35 PM Tavis Ormandy <taviso@gmail.com> wrote:
>
> There is enough space to have 52 1-byte length values, which makes svd_n
> 52, then make the final value length 0x1f (the maximum), which makes
> svd_n 83 and overflows the 64 byte stack buffer svd[] with controlled
> data.
>
> This requires a malicious monitor / projector / etc, so pretty low impact.

Ok, so I went back all the way to 3.16, and in 4.4 and earlier the
only user of fb_edid_add_monspecs() was that SH-Mobile SoCs driver
that got removed for no use.

So I think we can ignore this even for stable kernels, and I'll get
the pull request that removes the function entirely some time in the
future.

             Linus
[prev in list] [next in list] [prev in thread] [next in thread]