lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 15 Mar 2010 13:45:23 +0300
From:	Dan Carpenter <error27@...il.com>
To:	Toralf Förster <toralf.foerster@....de>
Cc:	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: bug list: range checking issues 2.6.34-rc1

On Mon, Mar 15, 2010 at 10:02:18AM +0100, Toralf Förster wrote:
> Hello,
> 
> I'm wondering about these entries :
> 

No problem, I'm happy to explain.

> drivers/infiniband/core/user_mad.c +646 ib_umad_reg_agent() 'umm' 4 <= 6
   641                          u32 *umm = (u32 *) ureq.method_mask;
   642                          int i;
   643  
   644                          for (i = 0; i < BITS_TO_LONGS(IB_MGMT_MAX_METHODS); ++i)
   645                                  req.method_mask[i] =
   646                                          umm[i * 2] | ((u64) umm[i * 2 + 1] << 32);
"umm" points to a array with 4 elements.
i can be 0 to 3, so "i * 2" goes up to 6
And 4 <= 6 so it's a problem.
Smatch also complained about "i * 2 + 1" but I didn't include that. 

> drivers/media/dvb/frontends/cx24110.c +210 cx24110_set_fec() 'rate' 7 <= 8
   184          static const int rate[]={-1,1,2,3,5,7,-1};
	[snip]
   192          if (fec>FEC_AUTO)
   193                  fec=FEC_AUTO;
   194  
   195          if (fec==FEC_AUTO) { /* (re-)establish AutoAcq behaviour */
	[snip]
   207          } else {
   208                  cx24110_writereg(state,0x37,cx24110_readreg(state,0x37)|0x20);
   209                  /* set AcqVitDis bit */
   210                  if(rate[fec]>0) {
"rate" has 7 elements.  FEC_AUTO - 1 is 8.  7 <= 8.

> drivers/video/cyber2000fb.c +330 cyber2000fb_setcolreg() 'cfb->palette' 256 <= 504
   316                  if (var->green.length == 6 && regno < 64) {
   317                          cfb->palette[regno << 2].green = green;
	[snip]
   330                          green = cfb->palette[regno << 3].green;
"cfb->palette" is an array with 256 elements.  "regno" can be 63.  
63 << 3 is 504.

> sound/drivers/opl3/opl3_midi.c +652 snd_opl3_kill_voice() 'opl3->voices' 18 <= 20
   626          if (snd_BUG_ON(voice >= MAX_OPL3_VOICES))
   627                  return;
	[snip]
   651          if (vp->state == SNDRV_OPL3_ST_ON_4OP) {
   652                  vp2 = &opl3->voices[voice + 3];
"opl3->voices" has 18 elements.  "voice" can be 17.  17 + 3 is 20.

> sound/i2c/other/ak4113.c +94 snd_ak4113_create() 'pgm' 5 <= 6
    93          for (reg = 0; reg < AK4113_WRITABLE_REGS ; reg++)
    94                  chip->regmap[reg] = pgm[reg];
"pgm" has 5 elements.  AK4113_WRITABLE_REGS is 7.

> sound/soc/codecs/wm8994.c +1703 wm8994_write() 'wm8994->reg_cache' 1570 <=  12799
  1700          BUG_ON(reg > WM8994_MAX_REGISTER);
  1701  
  1702          if (!wm8994_volatile(reg))
  1703                  wm8994->reg_cache[reg] = value;
"wm8994->reg_cache" has 1570 elements.  WM8994_MAX_REGISTER is 12799.

Obviously that last one is not the most serious bug in the world...

regards,
dan carpenter

> 
> b/c the range end shouldn't be reached, or ?
> 
> -- 
> MfG/Sincerely
> Toralf Förster
> 
> pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ