lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19f34abd0808310335u12242a3fode17effccf1e9533@mail.gmail.com>
Date:	Sun, 31 Aug 2008 12:35:57 +0200
From:	"Vegard Nossum" <vegard.nossum@...il.com>
To:	"Cyrill Gorcunov" <gorcunov@...il.com>
Cc:	LKML <linux-kernel@...r.kernel.org>, bfields@...ldses.org,
	neilb@...e.de
Subject: Re: [PATCH] sunrpc - fixup userspace buffer possible overrun v2

On Sun, Aug 31, 2008 at 12:08 PM, Cyrill Gorcunov <gorcunov@...il.com> wrote:
> Vegard Nossum reported
> ----------------------
>> I noticed that something weird is going on with /proc/sys/sunrpc/transports.
>> This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When
>> I "cat" this file, I get the expected output:
>>    $ cat /proc/sys/sunrpc/transports
>>    tcp 1048576
>>    udp 32768
>
>> But I think that it does not check the length of the buffer supplied by
>> userspace to read(). With my original program, I found that the stack was
>> being overwritten by the characters above, even when the length given to
>> read() was just 1.
>
> David Wagner added (among other things) that copy_to_user could be
> probably used here.
>
> The conclusion is that proc_do_xprt doesn't check for userside buffer
> size indeed so fix. Also set lenp to number of bytes were really written.
>
> Reported-by: Vegard Nossum <vegard.nossum@...il.com>
> Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com>
> CC: David Wagner <daw@...berkeley.edu>
> ---
>
> Please review.

read() returns the correct number of bytes written in to the buffer.
read() does not overwrite the buffer past the length that the user supplied.
Too small buffer results in a partial data.

But trying to call read() twice results in first a partial buffer, then EOF:

open("/proc/sys/sunrpc/transports", O_RDONLY) = 3
read(3, "tc", 2)                        = 2
read(3, "", 2)                          = 0

Maybe this can be fixed later.

Tested-by: Vegard Nossum <vegard.nossum@...il.com>


Vegard

-- 
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
	-- E. W. Dijkstra, EWD1036
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ