lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 5 May 2011 10:26:19 +0300
From:	Alexey Dobriyan <adobriyan@...il.com>
To:	Mansour Moufid <mansourmoufid@...il.com>
Cc:	torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] simple_strtoul: prevent integer overflows

On Thu, May 05, 2011 at 01:54:41AM -0400, Mansour Moufid wrote:
> This patch prevents integer overflows in the functions
> `simple_strtoull' and `simple_strtoul', in the file lib/vsprintf.c.
> This applies to stable version 2.6.38.5.
> 
> I'm aware of the kstrto* functions, but simple_strto* are still used
> in some network-exposed code (netfilter).

These changes break end pointer management at least
for simple_strtoul().

> --- vsprintf.c.orig
> +++ vsprintf.c
> @@ -63,11 +63,20 @@ unsigned long long simple_strtoull(const
>  		cp += 2;
> 
>  	while (isxdigit(*cp)) {
> -		unsigned int value;
> +		unsigned int value = 0;
> 
> -		value = isdigit(*cp) ? *cp - '0' : TOLOWER(*cp) - 'a' + 10;
> +		if (isdigit(*cp))
> +			value = *cp - '0';
> +		else if (isalpha(*cp))
> +			value = TOLOWER(*cp) - 'a' + 10;
> +		else
> +			break;
>  		if (value >= base)
>  			break;
> +		if (result > (ULLONG_MAX - value) / base) {
> +			result = ULLONG_MAX;
> +			break;
> +		}
>  		result = result * base + value;
>  		cp++;
>  	}
> @@ -86,7 +95,12 @@ EXPORT_SYMBOL(simple_strtoull);
>   */
>  unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
>  {
> -	return simple_strtoull(cp, endp, base);
> +	unsigned long long result = simple_strtoull(cp, endp, base);
> +
> +	if (result <= ULONG_MAX)
> +		return result;
> +
> +	return ULONG_MAX;
>  }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ