lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20080812162156.GA10163@lenovo>
Date:	Tue, 12 Aug 2008 20:21:56 +0400
From:	Cyrill Gorcunov <gorcunov@...il.com>
To:	Ingo Molnar <mingo@...e.hu>
Cc:	LKML <linux-kernel@...r.kernel.org>
Subject: protecting early_param from null injecting

Hi Ingo,

I spent some time on eraly_param handling and it seems
it will not be possible to just set absentee parameter
to end of string to prevent NULL deref. As I can see
the easier way is to add checking for NULL pointer.

And here is why - currently kernel will hang if user
forget to specify mandatory boot parameter - pointing
us to fix that point in kernel to prevent NULL deref.
If we may early_param to behave as __setup() funtion does -
we will have to review/fix kernel code anyway - for example
in arch/mips/kernel/setup.c

---
static int __init early_parse_mem(char *p)
{
	unsigned long start, size;

	/*
	 * If a user specifies memory size, we
	 * blow away any automatically generated
	 * size.
	 */
	if (usermem == 0) {
		boot_mem_map.nr_map = 0;
		usermem = 1;
 	}
	start = 0;
	size = memparse(p, &p);
	if (*p == '@')
		start = memparse(p + 1, &p);

	add_memory_region(start, size, BOOT_MEM_RAM);
	return 0;
}
early_param("mem", early_parse_mem);
---

If user will specify boot option as "mem=" without arg
we will have hang on eraly boot stage but if we change it
to zero-sized-string it will not fail and add_memory_region
will be processed as well by adding zero-sized memory region.
I don't know maybe it's safe to add zero-sized memory region
but I have a gut feeling in this way we could change program
flow and get hidden bugs.

I think there about ~15-20 places in kernel left without NULL
checking - not that many :) As only I finish with my current
APIC attempts - I could fix them.

		- Cyrill -
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ