lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <667778c0d0e6d27e8050cabb17cf9e3e790715d5.1257776095.git.andre.goddard@gmail.com>
Date:	Mon,  9 Nov 2009 12:26:46 -0200
From:	André Goddard Rosa <andre.goddard@...il.com>
To:	tabbott@...lice.com, alan-jenkins@...fmail.co.uk,
	rusty@...tcorp.com.au, linux-kernel@...r.kernel.org
Cc:	André Goddard Rosa <andre.goddard@...il.com>
Subject: [PATCH 2/2] bsearch: prevent overflow when computing middle comparison element

It's really difficult to occur in practice because the sum of the lower
and higher limits must overflow an int variable, but it can occur when
working with large arrays. We'd better safe than sorry by avoiding this
overflow situation when computing the middle element for comparison.

See:
http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5045582

The program below demonstrates the issue:

$ ./a.out
(glibc)         Element is at the last position
(patched)       Element is at the last position
Segmentation fault

===
#include <search.h>
#include <stdlib.h>
#include <stdio.h>

/* A number that when doubled will be bigger than 2^31 - 1 */
#define BIG_NUMBER_TO_OVERFLOW_INT	(1100000000)

static int cmp_char(const void *p1, const void *p2)
{
	char v1 = (*(char *)p1);
	char v2 = (*(char *)p2);

	if (v1 < v2)
		return -1;
	else if (v1 > v2)
		return 1;
	else
		return 0;
}

void *lib_bsearch(const void *key, const void *base, size_t num, size_t size
	, int (*cmp)(const void *key, const void *elt))
{
	int start = 0, end = num - 1, mid, result;

	while (start <= end) {
		mid = (start + end) / 2;
		result = cmp(key, base + mid * size);
		if (result < 0)
			end = mid - 1;
		else if (result > 0)
			start = mid + 1;
		else
			return (void *)base + mid * size;
	}

	return NULL;
}

void *patch_lib_bsearch(const void *key, const void *base, size_t num, size_t size
	, int (*cmp)(const void *key, const void *elt))
{
	size_t start = 0, end = num, mid;
	int result;

	while (start < end) {
		mid = (start + end) / 2;
		result = cmp(key, base + mid * size);
		if (result < 0)
			end = mid - 1;
		else if (result > 0)
			start = mid + 1;
		else
			return (void *)base + mid * size;
	}

	return NULL;
}

int main(void)
{
	char key = 1;
	char *array = calloc(BIG_NUMBER_TO_OVERFLOW_INT, sizeof(char));
	void *ptr;

	if (!array)
	{
		printf("%s\n", "no memory");
		return EXIT_FAILURE;
	}
	array[BIG_NUMBER_TO_OVERFLOW_INT - 1] = 1;

	ptr = bsearch(&key, array, BIG_NUMBER_TO_OVERFLOW_INT, sizeof(char), cmp_char);
	printf("(glibc) Element is%sat the last position\n"
		, (ptr == &array[BIG_NUMBER_TO_OVERFLOW_INT - 1]) ? " " : " NOT ");

	ptr = patch_lib_bsearch(&key, array, BIG_NUMBER_TO_OVERFLOW_INT, sizeof(char), cmp_char);
	printf("(patched) Element is%sat the last position\n"
		, (ptr == &array[BIG_NUMBER_TO_OVERFLOW_INT - 1]) ? " " : " NOT ");

	ptr = lib_bsearch(&key, array, BIG_NUMBER_TO_OVERFLOW_INT, sizeof(char), cmp_char);
	printf("(unpatched) Element is%sat the last position\n"
		, (ptr == &array[BIG_NUMBER_TO_OVERFLOW_INT - 1]) ? " " : " NOT ");

	free(array);

	return EXIT_SUCCESS;
}

Signed-off-by: André Goddard Rosa <andre.goddard@...il.com>
---
 lib/bsearch.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/lib/bsearch.c b/lib/bsearch.c
index f71ac89..f1aa361 100644
--- a/lib/bsearch.c
+++ b/lib/bsearch.c
@@ -33,7 +33,8 @@
 void *bsearch(const void *key, const void *base, size_t num, size_t size,
 	      int (*cmp)(const void *key, const void *elt))
 {
-	int start = 0, end = num, mid, result;
+	size_t start = 0, end = num, mid;
+	int result;
 
 	while (start < end) {
 		mid = (start + end) / 2;
-- 
1.6.5.2.153.g6e31f.dirty

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ