lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4AB4CEC8.4060101@telenet.be>
Date:	Sat, 19 Sep 2009 14:30:00 +0200
From:	Ian Schram <ischram@...enet.be>
To:	Ingo Molnar <mingo@...e.hu>
CC:	Peter Zijlstra <peterz@...radead.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	xiaoguangrong@...fujitsu.com, Paul Mackerras <paulus@...ba.org>
Subject: Re: perf_copy_attr pointer arithmetic weirdness



Ingo Molnar wrote:
> * Peter Zijlstra <peterz@...radead.org> wrote:
> 
>> On Fri, 2009-09-18 at 21:26 +0200, Ian Schram wrote:
>>> There is some -to me at least- weird code in per_copy_attr. Which supposedly
>>> checks that all bytes trailing a struct are zero.
>>>
>>> It doesn't seem to get pointer arithmetic right. Since it increments
>>> an iterating pointer by sizeof(unsigned long) rather than 1.
>>>
>>> I believe this has an impact on the exploitability of the recent buffer overflow
>>> in the perf_copy_attr function. I'm pretty sure I'm not the only one who noticed
>>> this, but i couldn't find it being mentioned. For some reason people prefer
>>> mmaping something at zero these days?
>>>
>>> I have appended a patch locating the issue. The PTR_ALIGN stuff right above it
>>> doesn't seem to take any boundary conditions into account which is probably not
>>> a good thing either.
>> sizeof(struct perf_counter_attr) should always be a multiple of u64, and
I don't think this matters since the starting address is not 'forced' to be
aligned. In which case some bytes in the middle would be unchecked. All in
all seems like an undesirable situation. I'll verify this and try my hand
at fixing it properly. Unless somebody who actually understands the purpose
of these checks wants to have a go..

>> we can indeed read beyond the tail boundary, but that should be ok,
>> worst that can happen is that we fail the read..
>>
>> Ugh on the ptr arith, one wonders how many stupid bugs one can make in
>> such a piece of code... :/
>>
>>> signed-of-by Ian Schram <ischram@...enet.be>
>> Acked-by: Peter Zijlstra <a.p.zijlstra@...llo.nl>
> 
> Ian, you meant Signed-off-by, not signed-of-by, right?
> 

exactly right, *shame*, apologies for the extra work for this one line
drive-by patch.

> 	Ingo
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ