| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jul 2008 00:17:03 +0400 From: Alexey Dobriyan <adobriyan@...il.com> To: akpm@...l.org, mpm@...enic.com Cc: linux-kernel@...r.kernel.org, pagexec@...email.hu Subject: Re: *sigh* /proc/*/pagemap > > >> 5) check with microscope allocation there -- page-aligned address and > > size > > >> == 0 > > >> should allocate 0 bytes, and > > > > > > Where? > > > > kmalloc() in pagemap_read(). kmalloc(0) and integer wraparound look > > possible. Now that I unsuccessfully tried to reproduce multiplication wraparound (on 32-bit), integer wraparound in kmalloc() simply can't happen here. Relevant code from pagemap_read(): uaddr = (unsigned long)buf & PAGE_MASK; uend = (unsigned long)(buf + count); pagecount = (PAGE_ALIGN(uend) - uaddr) / PAGE_SIZE; pages = kmalloc(pagecount * sizeof(struct page *), GFP_KERNEL); pagecount is effectively "count / PAGE_SIZE", where "count" is size_t. kmalloc() takes size_t as first argument, so one has to overflow count / PAGE_SIZE * sizeof(pointer). For sure, page is bigger than pointer. Anyone still see holes? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists