lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 5 Jun 2015 01:36:35 +0100
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Helge Deller <deller@....de>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] compat: fix possible out-of-bound accesses in
 compat_get_bitmap() and compat_put_bitmap()

On Fri, Jun 05, 2015 at 12:07:43AM +0200, Helge Deller wrote:
> In the functions compat_get_bitmap() and compat_put_bitmap() the variable
> nr_compat_longs stores how many compat_ulong_t words should be copied in a
> loop.
> 
> The copy loop itself is this:
>   if (nr_compat_longs-- > 0) {
>       if (__get_user(um, umask)) return -EFAULT;
>   } else {
>       um = 0;
>   }

Er...  When does that condition trigger?  We start with
(((n)+BITS_PER_COMPAT_LONG-1)/BITS_PER_COMPAT_LONG), which is
essentially DIV_ROUND_UP(n, BITS_PER_BYTE * sizeof(compat_long_t)).

Then we go through DIV_ROUND_UP(n, BITS_PER_BYTE * sizeof(long))
iterations of outer loop, with sizeof(long)/sizeof(compat_long_t)
iterations on inner one every time.  

So basically that thing will trigger only on the last pass through
the outer loop.  The only way for it to trigger a wraparound would
be to have sizeof(long)/sizeof(compat_long_t) greater than LONG_MAX,
which is, not too likely.

If we decrement nr_compat_longs and want to stop when it reaches zero, why not 
use that as the (only) loop condition?  As in

	for (m = 0, shift = 0; nr_compat_longs--;) {
		compat_ulong_t um;

		if (__get_user(um, umask++))
			return -EFAULT;

		m |= (long)um << shift;
		shift += BITS_PER_COMPAT_LONG;
		if (shift == BITS_PER_LONG) {
			shift = 0;
			*mask++ = m;
			m = 0;
		}
	}
	if (shift)
		*mask++ = m;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ