| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Dec 2016 15:00:09 -0500
From: Theodore Ts'o <tytso@....edu>
To: Eric Biggers <ebiggers@...gle.com>
Cc: linux-ext4@...r.kernel.org,
Andreas Dilger <adilger.kernel@...ger.ca>
Subject: Re: [PATCH 3/3] ext4: correctly detect when an xattr value has an
invalid size
On Sat, Nov 26, 2016 at 10:39:46PM -0800, Eric Biggers wrote:
> It was possible for an xattr value to have a very large size, which
> would then pass validation on 32-bit architectures due to a pointer
> wraparound. Fix this by validating the size in a way which avoids
> pointer wraparound.
>
> It was also possible that a value's size would fit in the available
> space but its padded size would not. This would cause an out-of-bounds
> memory write in ext4_xattr_set_entry when replacing the xattr value.
> For example, if an xattr value of unpadded size 253 bytes went until the
> very end of the inode or block, then using setxattr(2) to replace this
> xattr's value with 256 bytes would cause a write to the 3 bytes past the
> end of the inode or buffer, and the new xattr value would be incorrectly
> truncated. Fix this by requiring that the padded size fit in the
> available space rather than the unpadded size.
>
> This patch shouldn't have any noticeable effect on
> non-corrupted/non-malicious filesystems.
>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Thanks, applied.
- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists