| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230302141231.2c0a3761@kernel.org>
Date: Thu, 2 Mar 2023 14:12:31 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Kees Cook <kees@...nel.org>
Cc: Kees Cook <keescook@...omium.org>, linux-hardening@...r.kernel.org,
bpf@...r.kernel.org
Subject: Re: splat in ikheaders_read (bpftrace)
On Thu, 2 Mar 2023 14:08:14 -0800 Jakub Kicinski wrote:
> > static ssize_t
> > ikheaders_read(struct file *file, struct kobject *kobj,
> > struct bin_attribute *bin_attr,
> > char *buf, loff_t off, size_t len)
> > {
> > memcpy(buf, &kernel_headers_data + off, len);
> > return len;
> > }
> >
> > I will take a look at the caller's allocation of "buf" and kernel_headers_data.
>
> Mm. Actually stopping to look at the code - I don't see it bound
> checking against kernel_headers_data_end :| Maybe we need:
>
> @@ -34,6 +35,7 @@ ikheaders_read(struct file *file, struct kobject *kobj,
> struct bin_attribute *bin_attr,
> char *buf, loff_t off, size_t len)
> {
> + len = min_t(size_t, kernel_headers_data_end - kernel_headers_data, len);
> memcpy(buf, &kernel_headers_data + off, len);
> return len;
> }
Scratch that, the size is set at init time.
My guess was memcpy() thinks the size of kernel_headers_data
is 1 since it's declared as char?
Powered by blists - more mailing lists