lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 19 May 2017 02:29:23 +0200
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Alan Cox <gnomes@...rguk.ukuu.org.uk>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Alan Cox <alan@...ux.intel.com>,
        Thomas Osterried <thomas@...erried.de>,
        Javier Martinez Canillas <javier@....samsung.com>,
        David Howells <dhowells@...hat.com>,
        Geliang Tang <geliangtang@...il.com>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>
Subject: Re: drivers/net/hamradio: divide error in hdlcdrv_ioctl

On Wed, May 17, 2017 at 10:07 PM, Alan Cox <gnomes@...rguk.ukuu.org.uk> wrote:
> On Tue, 16 May 2017 17:05:32 +0200
> Andrey Konovalov <andreyknvl@...gle.com> wrote:
>
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 2ea659a9ef488125eb46da6eb571de5eae5c43f6 (4.12-rc1).
>>
>> A reproducer and .config are attached.
>
> This should fix it.

Hi Alan,

Someone else has already sent a couple of versions of a similar fix.

https://patchwork.ozlabs.org/patch/763832/

Thanks!

>
> commit 37b3fa4b617681f00cfa1f76d6d7716cc6d9f79a
> Author: Alan Cox <alan@...yncelyn.cymru>
> Date:   Wed May 17 21:04:27 2017 +0100
>
>     hdlcdrv: Fix division by zero when bitrate is unset
>
>     The code attempts to check for out of range calibration. What it forgets to do
>     is check for the 0 bitrate case. As a result the range check itself oopses the
>     kernel.
>
>     Found by Andrey Konovalov using Syzkaller.
>
>     Signed-off-by: Alan Cox <alan@...ux.intel.com>
>
> diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
> index 8c3633c..9f34a48 100644
> --- a/drivers/net/hamradio/hdlcdrv.c
> +++ b/drivers/net/hamradio/hdlcdrv.c
> @@ -576,7 +576,7 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
>         case HDLCDRVCTL_CALIBRATE:
>                 if(!capable(CAP_SYS_RAWIO))
>                         return -EPERM;
> -               if (bi.data.calibrate > INT_MAX / s->par.bitrate)
> +               if (!s->par.bitrate || bi.data.calibrate > INT_MAX / s->par.bitrate)
>                         return -EINVAL;
>                 s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
>                 return 0;

Powered by blists - more mailing lists