lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <808c8e9d0907241040i2783d27aw948aa239f521336c@mail.gmail.com>
Date:	Fri, 24 Jul 2009 12:40:28 -0500
From:	Ben Gardner <gardner.ben@...il.com>
To:	Michael Buesch <mb@...sch.de>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: FW: [PATCH] cs5535_gpio: Fix root triggerable integer underflow

Hi Michael,

> This patch fixes a possible root triggerable (I hope the device is only
> readable by root?) integer underflow.
> Well, it's not really an underflow, but as loff_t is a signed type, the
> range check at the start of the function is incomplete. It needs to
> check for <0, too.
> Otherwise the loop below will poke into random memory and I/O space.
> This could be used to crash the machine, at least.
>
> This patch is only compiletested, because I do not have the hardware.
>
> Signed-off-by: Michael Buesch <mb@...sch.de>
>
> ---
>
> I'm not sure if this bug is exploitable. I _guess_ the device is only
> readable by root
> on a standard setup.

The cs5525_gpio driver uses the default seek, which doesn't allow
negative position values.
So, I don't think it necessary to check for negative values.

Ben

> ---
>  drivers/char/cs5535_gpio.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- linux-2.6.orig/drivers/char/cs5535_gpio.c
> +++ linux-2.6/drivers/char/cs5535_gpio.c
> @@ -124,21 +124,21 @@ static ssize_t cs5535_gpio_write(struct
>  static ssize_t cs5535_gpio_read(struct file *file, char __user *buf,
>                                size_t len, loff_t *ppos)
>  {
>        u32     m = iminor(file->f_path.dentry->d_inode);
>        u32     base = gpio_base + cs5535_lowhigh_base(m);
>        int     rd_bit = 1 << (m & 0x0f);
>        int     i;
>        char    ch;
>        ssize_t count = 0;
>
> -       if (*ppos >= ARRAY_SIZE(rm))
> +       if (*ppos < 0 || *ppos >= ARRAY_SIZE(rm))
>                return 0;
>
>        for (i = *ppos; (i < (*ppos + len)) && (i < ARRAY_SIZE(rm));
> i++) {
>                ch = (inl(base + rm[i].rd_offset) & rd_bit) ?
>                     rm[i].on : rm[i].off;
>
>                if (put_user(ch, buf+count))
>                        return -EFAULT;
>
>                count++;
>
> --
> Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ