lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050119103403.GA10083@suse.de>
Date: Wed, 19 Jan 2005 11:34:03 +0100
From: Marcus Meissner <meissner@...e.de>
To: Brad Spengler <spender@...ecurity.net>
Cc: dailydave@...ts.immunitysec.com, bugtraq@...urityfocus.com,
        full-disclosure@...ts.netsys.com
Subject: Re: grsecurity 2.1.0 release / 5 Linux kernel
	advisories

On Fri, Jan 07, 2005 at 01:18:53PM -0500, Brad Spengler wrote:
> Let's try this again, since web archives don't like multipart 
> attachments.
> 
> grsecurity 2.1.0 release / Linux Kernel advisories
> --------------------------------------------------------------------
> 
> Table Of Contents:
...
> 4) 2.6 scsi ioctl integer overflow and information leak


> 4) 2.6 scsi ioctl integer overflow and information leak
> 
> In drivers/block/scsi_ioctl.c:
> 
> at sg_scsi_ioctl():
> >        struct request *rq;
> >        int err, in_len, out_len, bytes, opcode, cmdlen;
>         ^ in_len, out_len are signed int
> >        char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
> >
> >        /*
> >         * get in an out lengths, verify they don't exceed a page worth of data
> >         */
> >        if (get_user(in_len, &sic->inlen))
>         ^ in_len is user-controlled
> >                return -EFAULT;
> >        if (get_user(out_len, &sic->outlen))
>         ^ out_len is user-controlled
> >                return -EFAULT;
> >        if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
>         ^ signed int only has upper bound checked
> >                return -EINVAL;

Well spotted.

I actually spent 30 minutes unsuccessfully trying to get my kernel to
crash with this before a C guru here explained it to me.

The C compiler actually rises to the rescue and safes the kernel.

"A comparison will always be evaluated in the largest integer context
available." (or so)

PAGE_SIZE is defined as (1UL << PAGE_SHIFT) for all architectures on
2.6 kernels.

signed int has 31bits, unsigned long has either 32 or 64 bit.

So this expression will always be evaluated in unsigned long mode. 

In this case the signed int is not converted, but the binary representation
is used, -1 would be in this case 0xffffffff.

	=> No problem.

Ciao, Marcus

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ