| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200907211217.47484.mb@bu3sch.de>
Date: Tue, 21 Jul 2009 12:17:47 +0200
From: Michael Buesch <mb@...sch.de>
To: Henrique de Moraes Holschuh <hmh@....eng.br>
Cc: ibm-acpi-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] thinkpad-acpi: Avoid heap buffer overrun
On Tuesday 21 July 2009 12:16:17 Michael Buesch wrote:
> Avoid a heap buffer overrun triggered by an integer overflow of the userspace
> controlled "count" variable.
> If userspace passes in a "count" of (size_t)-1l, the kmalloc size will overflow
> to ((size_t)-1l + 2) = 1, so only one byte will be allocated. However, copy_from_user()
> will attempt to copy 0xFFFFFFFF (or 0xFFFFFFFFFFFFFFFF on 64bit) bytes to the buffer.
>
> A possible testcase could look like this:
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <fcntl.h>
>
> int main(int argc, char **argv)
> {
> int fd;
> char c;
>
> if (argc != 2) {
> printf("Usage: %s /proc/acpi/ibm/filename\n", argv[0]);
> return 1;
> }
> fd = open(argv[1], O_RDWR);
> if (fd < 0) {
> printf("Could not open proc file\n");
> return 1;
> }
> write(fd, &c, (size_t)-1l);
> }
>
> We avoid the integer overrun by putting an arbitrary limit on the count.
> PAGE_SIZE sounds like a sane limit.
>
> Signed-off-by: Michael Buesch <mb@...sch.de>
Whoops, forgot
Cc: stable@...nel.org
--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists