lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024052420-clang-flatterer-366b@gregkh>
Date: Fri, 24 May 2024 12:15:47 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jiri Bohac <jbohac@...e.cz>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org,
	Eric Biederman <ebiederm@...ssion.com>, kexec@...ts.infradead.org
Subject: Re: CVE-2023-52823: kernel: kexec: copy user-array safely

On Fri, May 24, 2024 at 12:02:10PM +0200, Jiri Bohac wrote:
> On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote:
> > kernel: kexec: copy user-array safely
> > 
> > Currently, there is no overflow-check with memdup_user().
> 
> This is false. 
> Therefore, I'd like to dispute this CVE.
> 
> The overflow check is in the kexec_load_check()
> function called shortly before the memdup_user() call:
> 
> 
> 	SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
> 			struct kexec_segment __user *, segments, unsigned long, flags)
> 	{
> 		result = kexec_load_check(nr_segments, flags);
> 		if (result)
> 			return result;
> 	...
> 		ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
> 	...
> 	}
> 
> 	#define KEXEC_SEGMENT_MAX 16
> 	static inline int kexec_load_check(unsigned long nr_segments,
> 					   unsigned long flags)
> 	{
> 	...
> 		if (nr_segments > KEXEC_SEGMENT_MAX)
> 			return -EINVAL;
> 	}

Nice, but then why was this commit worded this way?  Now we check twice?
Double safe?  Should it be reverted?

I'll go revoke this, thanks for the review!

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ