| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Feb 2015 18:44:19 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...capital.net>, Wang YanQing <udknight@...il.com>, linux-kernel@...r.kernel.org, linux-nfs@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: [patch] groups: integer underflow in groups_alloc() This is called from rsc_parse() with a use controlled value. Say for example that "gidsetsize" is negative, then we could end up allocating less than sizeof(struct group_info) leading to memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> --- I copied the NGROUPS_MAX limit from the surrounding code, I'm not absolutely that it's the correct limit to use. diff --git a/kernel/groups.c b/kernel/groups.c index 664411f..e9341b3 100644 --- a/kernel/groups.c +++ b/kernel/groups.c @@ -18,6 +18,9 @@ struct group_info *groups_alloc(int gidsetsize) int nblocks; int i; + if ((unsigned)gidsetsize > NGROUPS_MAX) + return NULL; + nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK; /* Make sure we always allocate at least one indirect block pointer */ nblocks = nblocks ? : 1; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists