lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <0DECD40F-A8E0-4D26-9CD6-EC720A823206@dilger.ca>
Date:   Mon, 27 Feb 2017 14:16:05 -0700
From:   Andreas Dilger <adilger@...ger.ca>
To:     Matthijs Möhlmann <matthijs@...holong.nl>
Cc:     linux-ext4@...r.kernel.org
Subject: Re: storing a value larger than UINT_MAX

On Feb 24, 2017, at 3:38 AM, Matthijs Möhlmann <matthijs@...holong.nl> wrote:
> 
> Hello ext4 developers,
> 
> I am trying to run a kernel with grsecurity with the size overflow
> protection and am getting the following warnings / errors:
> 
> dmesg: http://pastebin.com/wr3UGLS9
> config: http://pastebin.com/sr8M9bP0
> mballoc.* (make fs/ext4/mballoc.o EXTRA_CFLAGS="-fdump-tree-all
> -fdump-ipa-all") http://filebin.ca/3DMIChVw9lQM/mballoc.tgz
> 
> According to the grsecurity developers it seems to be a bug in ext4:
> https://forums.grsecurity.net/viewtopic.php?f=1&t=4678&p=16971

        pa->pa_pstart = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
        pa->pa_lstart = pa->pa_pstart;

pa_pstart is 64-bit, pa_lstart is 32-bit.  It isn't clear why pa_lstart isn't:

	pa->pa_lstart = ac->ac_b_ex.fe_logical;

as elsewhere in the code, but this _may_ be because the group prealloc is
for allocating multiple small files in the same group, so pa_lstart may not
make any sense as a per-file logical offset.

Cheers, Andreas

> The response from ephox (PAX team / grsecurity developer):
> --
> Thanks for the report. I think this is an upstream bug. Based on the
> runtime values provided by you, ext4_mb_new_group_pa() tries to store a
> value into pa->pa_lstart which larger than UINT_MAX which comes from
> ext4_group_first_block_no().
> Could you please report it to the ext4 developers?
> --
> 
> I'll try to answer all the questions but I'm not an expert in this area.
> 
> I am also not subscribed to this mailinglist so please keep me in the CC.
> 
> Regards,
> 
> Matthijs Möhlmann
> 


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ