lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20110418193715.GH4800@outflux.net>
Date:	Mon, 18 Apr 2011 12:37:15 -0700
From:	Kees Cook <kees.cook@...onical.com>
To:	Robert Święcki <robert@...ecki.net>
Cc:	linux-kernel@...r.kernel.org, taviso@...xchg8b.com,
	security@...nel.org
Subject: Re: Kernel panic (NULL ptr deref?) in find_ge_pid()/next_pidmap()
 (via sys_getdents or sys_readdir)

Hi Robert,

On Mon, Apr 18, 2011 at 02:57:55PM +0200, Robert Święcki wrote:
> and a repro - should be quite obvious for FS folks, I guess
> filp->f_pos needs better checking in proc's readdir (or in llseek).

Yup:

int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
{
        unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
...
        for (; nr < ARRAY_SIZE(proc_base_stuff); filp->f_pos++, nr++) {
...
        }

        ns = filp->f_dentry->d_sb->s_fs_info;
        iter.task = NULL;
        iter.tgid = filp->f_pos - TGID_OFFSET;
...

There's no test to validate f_pos. If it's out of bounds, the "for"
just doesn't run.

-Kees

-- 
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ