| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Feb 2009 15:54:48 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Mikulas Patocka <mpatocka@...hat.com>
Cc: torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org,
stable@...nel.org
Subject: Re: [PATCH] Fix memory corruption in console selection
On Fri, 30 Jan 2009 15:27:14 -0500 (EST)
Mikulas Patocka <mpatocka@...hat.com> wrote:
> [ I don't know who is the console maintainer or if there is any, so I'm
> posting this to Linus ]
>
>
> Fix an off-by-two memory error in console selection.
>
> The loop below goes from sel_start to sel_end (inclusive), so it writes
> one more character. This one more character was added to the allocated
> size (+1), but it was not multiplied by an UTF-8 multiplier.
>
> This patch fixes a memory corruption when UTF-8 console is used and the
> user selects a few characters, all of them 3-byte in UTF-8 (for example a
> frame line).
>
> When memory redzones are enabled, a redzone corruption is reported. When
> they are not enabled, trashing of random memory occurs.
>
> Signed-off-by: Mikulas Patocka <mpatocka@...hat.com>
>
> ---
> drivers/char/selection.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6.29-rc3-devel/drivers/char/selection.c
> ===================================================================
> --- linux-2.6.29-rc3-devel.orig/drivers/char/selection.c 2009-01-30 21:03:07.000000000 +0100
> +++ linux-2.6.29-rc3-devel/drivers/char/selection.c 2009-01-30 21:03:38.000000000 +0100
> @@ -268,7 +268,7 @@ int set_selection(const struct tiocl_sel
>
> /* Allocate a new buffer before freeing the old one ... */
> multiplier = use_unicode ? 3 : 1; /* chars can take up to 3 bytes */
> - bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
> + bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
> if (!bp) {
> printk(KERN_WARNING "selection: kmalloc() failed\n");
> clear_selection();
The patch is now in mainline for 2.6.29, as
878b8619f711280fd05845e21956434b5e588cc4.
It appears to be applicable to earlier kernels as far back as 2.6.25
(at least). But the -stable maintainers were not informed of this.
An appropriate way of flagging this is to add
Cc: <stable@...nel.org>
to the changelog.
Please, people - we all need to think about this, to prevent stuff from
falling through cracks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists