| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Jan 2018 12:14:59 +0300 From: Alexey Dobriyan <adobriyan@...il.com> To: Andrew Morton <akpm@...ux-foundation.org> Cc: linux-kernel@...r.kernel.org Subject: Re: [PATCH] elf: fix NT_FILE integer overflow On Fri, Jan 12, 2018 at 02:52:08PM -0800, Andrew Morton wrote: > On Fri, 12 Jan 2018 23:34:27 +0300 Alexey Dobriyan <adobriyan@...il.com> wrote: > > > If vm.max_map_count bumped above 2^26 (67+ mil) and system has enough > > RAM to allocate all the VMAs (~12.8 GB on Fedora 27 with 200-byte VMAs), > > then it should be possible to overflow 32-bit "size", pass paranoia check, > > allocate very little vmalloc space and oops while writing into vmalloc > > guard page... > > > > But I didn't test this, only coredump of regular process. > > > > ... > > > > --- a/fs/binfmt_elf.c > > +++ b/fs/binfmt_elf.c > > @@ -1599,6 +1599,8 @@ static int fill_files_note(struct memelfnote *note) > > > > /* *Estimated* file count and total data size needed */ > > count = current->mm->map_count; > > + if (count > UINT_MAX / 64) > > + return -EINVAL; > > size = count * 64; > > > > names_ofs = (2 + 3 * count) * sizeof(data[0]); > > Why not make `size' a ulong (or size_t)? That seems to be the > appropriate type and the code will then immediately barf over the > MAX_FILE_NOTE_SIZE comparison anyway. You can do it, but MAX_FILE_NOTE_SIZE is only 4 MB, and 32-bit code is smaller than 64-bit code.
Powered by blists - more mailing lists