lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 3 Mar 2014 22:27:57 -0500
From:	Dave Jones <davej@...hat.com>
To:	netdev@...r.kernel.org
Cc:	arvid.brodin@...n.com
Subject: out of bounds writes in net/hsr/

I found this in coverity, and I think it's a real bug..

hsr_register_frame_in does a check that dev_idx is between 0 and 2,
therefore, a dev_idx of 2 is possible when it gets to the array writes
at the end of the function.  The arrays are defined such..

 26 struct node_entry {
...
 33         unsigned long   time_in[HSR_MAX_SLAVE];
 34         bool            time_in_stale[HSR_MAX_SLAVE];

and HSR_MAX_SLAVE is...

139 enum hsr_dev_idx {
140         HSR_DEV_NONE = -1,
141         HSR_DEV_SLAVE_A = 0,
142         HSR_DEV_SLAVE_B,
143         HSR_DEV_MASTER,
144 };
145 #define HSR_MAX_SLAVE   (HSR_DEV_SLAVE_B + 1)

So we have arrays of 2 bytes, and we can try to write to the 3rd byte.

The problem seems to be that the checking in hsr_register_frame is on
HSR_MAX_DEV which is defined as..

#define HSR_MAX_DEV     (HSR_DEV_MASTER + 1)

The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't
figure out why it's there.

	Dave

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ