Assigning medium because this attack requires compromising a privileged process first.

groeck: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Waiting for code review (CL:439604)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/84740629cf2ea00e281f136fe67a83e982a42d91

commit 84740629cf2ea00e281f136fe67a83e982a42d91
Author: Siqi Lin <siqilin@google.com>
Date: Thu Feb 09 00:24:37 2017

CHROMIUM: ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

BUG=b/32510733, chromium:684626
TEST=Build allmodconfig

Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 884632813067fc8513c279e7f5f80f74fa3a685b)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: I776b8774c6afba066aa25a707c4f54be9efecde5
Reviewed-on: https://chromium-review.googlesource.com/439604
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/84740629cf2ea00e281f136fe67a83e982a42d91/sound/core/info.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9938a6cd1600b9ff5cb17c4ebcba186997e6b078

commit 9938a6cd1600b9ff5cb17c4ebcba186997e6b078
Author: Siqi Lin <siqilin@google.com>
Date: Thu Feb 09 00:24:30 2017

CHROMIUM: ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

BUG=b/32510733, chromium:684626
TEST=Build allmodconfig

Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 884632813067fc8513c279e7f5f80f74fa3a685b)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: I776b8774c6afba066aa25a707c4f54be9efecde5
Reviewed-on: https://chromium-review.googlesource.com/439396
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/9938a6cd1600b9ff5cb17c4ebcba186997e6b078/sound/core/info.c

Will first land in M-58.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e55986d5fe35b9a449a3c96f7c9cc90e7b9a061a

commit e55986d5fe35b9a449a3c96f7c9cc90e7b9a061a
Author: Siqi Lin <siqilin@google.com>
Date: Thu Feb 09 04:31:59 2017

CHROMIUM: ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

BUG=b/32510733, chromium:684626
TEST=Build allmodconfig

Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 884632813067fc8513c279e7f5f80f74fa3a685b)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: I776b8774c6afba066aa25a707c4f54be9efecde5
Reviewed-on: https://chromium-review.googlesource.com/439398
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/e55986d5fe35b9a449a3c96f7c9cc90e7b9a061a/sound/core/info.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d5f25d3f7f8b80bf9e5e224f3a0291b6b9bbe407

commit d5f25d3f7f8b80bf9e5e224f3a0291b6b9bbe407
Author: Siqi Lin <siqilin@google.com>
Date: Thu Feb 09 07:31:30 2017

CHROMIUM: ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

BUG=b/32510733, chromium:684626
TEST=Build allmodconfig

Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 884632813067fc8513c279e7f5f80f74fa3a685b)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: I776b8774c6afba066aa25a707c4f54be9efecde5
Reviewed-on: https://chromium-review.googlesource.com/439397
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/d5f25d3f7f8b80bf9e5e224f3a0291b6b9bbe407/sound/core/info.c

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot