lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150514121940.GC10093@quack.suse.cz>
Date:	Thu, 14 May 2015 14:19:40 +0200
From:	Jan Kara <jack@...e.cz>
To:	"Darrick J. Wong" <darrick.wong@...cle.com>
Cc:	tytso@....edu, linux-ext4@...r.kernel.org
Subject: Re: [PATCH] jbd2: fix r_count overflows leading to buffer overflow
 in journal recovery

On Wed 13-05-15 11:56:46, Darrick J. Wong wrote:
> The journal revoke block recovery code does not check r_count for
> sanity, which means that an evil value of r_count could result in
> the kernel reading off the end of the revoke table and into whatever
> garbage lies beyond.  This could crash the kernel, so fix that.
> 
> However, in testing this fix, I discovered that the code to write
> out the revoke tables also was not correctly checking to see if the
> block was full -- the current offset check is fine so long as the
> revoke table space size is a multiple of the record size, but this
> is not true when either journal_csum_v[23] are set.
> 
> Signed-off-by: Darrick J. Wong <darrick.wong@...cle.com>
...
> @@ -594,9 +594,14 @@ static void write_one_revoke_record(journal_t *journal,
>  	if (jbd2_journal_has_csum_v2or3(journal))
>  		csum_size = sizeof(struct jbd2_journal_revoke_tail);
>  
> +	if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
> +		sz = 8;
> +	else
> +		sz = 4;
> +
>  	/* Make sure we have a descriptor with space left for the record */
>  	if (descriptor) {
> -		if (offset >= journal->j_blocksize - csum_size) {
> +		if (offset + sz >= journal->j_blocksize - csum_size) {
  Hum, but we can have strict inequality here, can't we? Otherwise the
patch looks good to me.

								Honza


-- 
Jan Kara <jack@...e.cz>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ