| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.00.1105092206110.19722@swampdragon.chaosbits.net> Date: Mon, 9 May 2011 22:09:19 +0200 (CEST) From: Jesper Juhl <jj@...osbits.net> To: Ben Hutchings <ben@...adent.org.uk> cc: Dan Rosenberg <drosenberg@...curity.com>, Russell King <rmk+kernel@....linux.org.uk>, Greg KH <gregkh@...e.de>, linux-kernel@...r.kernel.org, stable@...nel.org, akpm@...ux-foundation.org, torvalds@...ux-foundation.org, stable-review@...nel.org, alan@...rguk.ukuu.org.uk Subject: Re: [Stable-review] [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop On Sat, 7 May 2011, Ben Hutchings wrote: > On Thu, 2011-05-05 at 17:11 -0700, Greg KH wrote: > > 2.6.38-stable review patch. If anyone has any objections, please let us know. > > > > ------------------ > > > > From: Dan Rosenberg <drosenberg@...curity.com> > > > > commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream. > > > > When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not > > bound the nsops argument. A sufficiently large value will cause an > > integer overflow in allocation size, followed by copying too much data > > into the allocated buffer. Fix this by restricting nsops to SEMOPM. > > Untested. > > > > Signed-off-by: Dan Rosenberg <drosenberg@...curity.com> > > Signed-off-by: Russell King <rmk+kernel@....linux.org.uk> > > Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de> > > > > --- > > arch/arm/kernel/sys_oabi-compat.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > --- a/arch/arm/kernel/sys_oabi-compat.c > > +++ b/arch/arm/kernel/sys_oabi-compat.c > > @@ -311,7 +311,7 @@ asmlinkage long sys_oabi_semtimedop(int > > long err; > > int i; > > > > - if (nsops < 1) > > + if (nsops < 1 || nsops > SEMOPM) > > return -EINVAL; > > It's not that important, but the manual page says the error code should > E2BIG in the latter case. > So something like this... Return correct error (E2BIG) when nsops is greater than SEMOPM in sys_oabi_semtimedop. The man page (semtimedop(2)) lists this as the proper error in ths case: "E2BIG The argument nsops is greater than SEMOPM, the maximum number of operations allowed per system call." Signed-off-by: Jesper Juhl <jj@...osbits.net> Reported-by: Ben Hutchings <ben@...adent.org.uk> -- sys_oabi-compat.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c index af0aaeb..c196ad7 100644 --- a/arch/arm/kernel/sys_oabi-compat.c +++ b/arch/arm/kernel/sys_oabi-compat.c @@ -311,8 +311,10 @@ asmlinkage long sys_oabi_semtimedop(int semid, long err; int i; - if (nsops < 1 || nsops > SEMOPM) + if (nsops < 1) return -EINVAL; + else if (nsops > SEMOPM) + return -E2BIG; sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); if (!sops) return -ENOMEM; -- Jesper Juhl <jj@...osbits.net> http://www.chaosbits.net/ Don't top-post http://www.catb.org/jargon/html/T/top-post.html Plain text mails only, please. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists