| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52ACDBBE.32014.145F911E@pageexec.freemail.hu> Date: Sat, 14 Dec 2013 23:29:18 +0100 From: "PaX Team" <pageexec@...email.hu> To: linux-ext4@...r.kernel.org CC: re.emese@...il.com Subject: possible unintended integer truncation in fs/ext4/extents.c:get_implied_cluster_alloc Hello folks, while running a simple analyzer plugin on linux 3.12.5 written by Emese Revfy we found a case in ext4 that looks like a potential problem. the code looks like this: 4082 map->m_pblk = (ee_start & ~(sbi->s_cluster_ratio - 1)) + 4083 c_offset; here the expression ~(sbi->s_cluster_ratio - 1) will first do the negation on an unsigned int then extend the result to unsigned long long (i.e, there's a 32->64 bit conversion on both 32 and 64 bit archs) and stores it as such. now this will obviously lose the higher 32 bits of ee_start and the question is: is this intended behaviour or a bug? later the code compares map->m_pblk against ee_block which is as unsigned int only so there's some mixture of integer types here that may warrant further review. cheers, PaX Team -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists