lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 13 Jan 2018 12:14:59 +0300
From:   Alexey Dobriyan <adobriyan@...il.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH] elf: fix NT_FILE integer overflow

On Fri, Jan 12, 2018 at 02:52:08PM -0800, Andrew Morton wrote:
> On Fri, 12 Jan 2018 23:34:27 +0300 Alexey Dobriyan <adobriyan@...il.com> wrote:
> 
> > If vm.max_map_count bumped above 2^26 (67+ mil) and system has enough
> > RAM to allocate all the VMAs (~12.8 GB on Fedora 27 with 200-byte VMAs),
> > then it should be possible to overflow 32-bit "size", pass paranoia check,
> > allocate very little vmalloc space and oops while writing into vmalloc
> > guard page...
> > 
> > But I didn't test this, only coredump of regular process.
> > 
> > ...
> >
> > --- a/fs/binfmt_elf.c
> > +++ b/fs/binfmt_elf.c
> > @@ -1599,6 +1599,8 @@ static int fill_files_note(struct memelfnote *note)
> >  
> >  	/* *Estimated* file count and total data size needed */
> >  	count = current->mm->map_count;
> > +	if (count > UINT_MAX / 64)
> > +		return -EINVAL;
> >  	size = count * 64;
> >  
> >  	names_ofs = (2 + 3 * count) * sizeof(data[0]);
> 
> Why not make `size' a ulong (or size_t)?  That seems to be the
> appropriate type and the code will then immediately barf over the
> MAX_FILE_NOTE_SIZE comparison anyway.

You can do it, but MAX_FILE_NOTE_SIZE is only 4 MB, and 32-bit code is
smaller than 64-bit code.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ