lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 21 Oct 2010 09:29:39 +0200
From:	Dan Carpenter <error27@...il.com>
To:	Achim Leubner <achim_leubner@...ptec.com>,
	"James E.J. Bottomley" <James.Bottomley@...e.de>,
	linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch] gdth: integer overflow in ioctl

On Fri, Oct 08, 2010 at 09:03:07AM +0200, Dan Carpenter wrote:
> gdth_ioctl_alloc() takes the size variable as an int.
> copy_from_user() takes the size variable as an unsigned long.
> gen.data_len and gen.sense_len are unsigned longs.
> On x86_64 longs are 64 bit and ints are 32 bit.
> 
> We could pass in a very large number and the allocation would truncate
> the size to 32 bits and allocate a small buffer.  Then when we do the
> copy_from_user(), it would result in a memory corruption.
> 
> CC: stable@...nel.org
> Signed-off-by: Dan Carpenter <error27@...il.com>
> 

I never know if anyone gets my emails and so I has a small sad face on
the front of my head here: --------------->   :(

regards,
dan carpenter


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ