lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: jikos at jikos.cz (Jirka Kosina)
Subject: Re: Linux Kernel sctp_setsockopt() Integer Overflow

On Thu, 27 May 2004, Michael Tokarev wrote:

> I was wrong reading the above code, simple as that.
> Sure, kmalloc(0) will NOT return NULL as I claimed.
>                 if (size > csizep->cs_size)
>                         continue;
> Here, when size == 0 (and csizep->cs_size is always > 0),
> the condition is always false, so the next instruction
> will be executed, which is:
>                 return __kmem_cache_alloc(flags & GFP_DMA ?
>                          csizep->cs_dmacachep : csizep->cs_cachep, flags);
> which will allocate either 32 or 64 bytes of memory (depending
> on the arch) and return it to the caller.
> So there IS a bug, exactly as described in the original advisory.
> I wonder why noone replied... ;)

Because this all is debate about nothing, as the original advisory was 
fake, because you simply can't pass negative optlen to setsockopt() 
syscall, so there is nothing to be exploited.

asmlinkage long sys_setsockopt(int fd, int level, int optname, char __user 
*optval,
{
        int err;
        struct socket *sock;

        if (optlen < 0)
                return -EINVAL;
...

-- 
JiKos.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ