lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Mon, 2 Feb 2009 15:54:48 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Mikulas Patocka <mpatocka@...hat.com>
Cc:	torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org,
	stable@...nel.org
Subject: Re: [PATCH] Fix memory corruption in console selection

On Fri, 30 Jan 2009 15:27:14 -0500 (EST)
Mikulas Patocka <mpatocka@...hat.com> wrote:

> [ I don't know who is the console maintainer or if there is any, so I'm 
> posting this to Linus ]
> 
> 
> Fix an off-by-two memory error in console selection.
> 
> The loop below goes from sel_start to sel_end (inclusive), so it writes 
> one more character. This one more character was added to the allocated 
> size (+1), but it was not multiplied by an UTF-8 multiplier.
> 
> This patch fixes a memory corruption when UTF-8 console is used and the 
> user selects a few characters, all of them 3-byte in UTF-8 (for example a 
> frame line).
> 
> When memory redzones are enabled, a redzone corruption is reported. When 
> they are not enabled, trashing of random memory occurs.
> 
> Signed-off-by: Mikulas Patocka <mpatocka@...hat.com>
> 
> ---
>  drivers/char/selection.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Index: linux-2.6.29-rc3-devel/drivers/char/selection.c
> ===================================================================
> --- linux-2.6.29-rc3-devel.orig/drivers/char/selection.c	2009-01-30 21:03:07.000000000 +0100
> +++ linux-2.6.29-rc3-devel/drivers/char/selection.c	2009-01-30 21:03:38.000000000 +0100
> @@ -268,7 +268,7 @@ int set_selection(const struct tiocl_sel
>  
>  	/* Allocate a new buffer before freeing the old one ... */
>  	multiplier = use_unicode ? 3 : 1;  /* chars can take up to 3 bytes */
> -	bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
> +	bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
>  	if (!bp) {
>  		printk(KERN_WARNING "selection: kmalloc() failed\n");
>  		clear_selection();

The patch is now in mainline for 2.6.29, as
878b8619f711280fd05845e21956434b5e588cc4.

It appears to be applicable to earlier kernels as far back as 2.6.25
(at least).  But the -stable maintainers were not informed of this.

An appropriate way of flagging this is to add

Cc: <stable@...nel.org>

to the changelog.

Please, people - we all need to think about this, to prevent stuff from
falling through cracks.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists