lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4ECD6873.7080106@metafoo.de>
Date:	Wed, 23 Nov 2011 22:41:07 +0100
From:	Lars-Peter Clausen <lars@...afoo.de>
To:	Ian Abbott <abbotti@....co.uk>
CC:	Dan Carpenter <dan.carpenter@...cle.com>,
	Xi Wang <xi.wang@...il.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"devel@...verdev.osuosl.org" <devel@...verdev.osuosl.org>,
	Mori Hess <fmhess@...rs.sourceforge.net>,
	"security@...nel.org" <security@...nel.org>,
	Lucas De Marchi <lucas.demarchi@...fusion.mobi>,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Ian Abbott <ian.abbott@....co.uk>,
	Franky Lin <frankyl@...adcom.com>,
	Greg Dietsche <Gregory.Dietsche@....edu>,
	Mark Pearson <markpearson_de@...oo.de>
Subject: Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

On 11/23/2011 05:06 PM, Ian Abbott wrote:
> On 2011-11-23 14:50, Dan Carpenter wrote:
>> On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
>>> Thanks for the pointer.  However you cannot do the overflow check using
>>>
>>>    if (sizeof(struct comedi_insn) * insnlist.n_insns < 
>>> insnlist.n_insns)
>>>
>>> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
>>> insnlist.n_insns = 0x7fffffff.
>>>
>>> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your
>>> check.
>>>
>>
>> Argh...  You're right, my check is wrong.  What I like about my patch
>> though is that it doesn't introduce an arbitrary limit.  Could you
>> redo your check without the MAX_INSNS?
> 
> Could use something like:
> 
>     if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
>         insns =
>             kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
>                 GFP_KERNEL);
>     if (!insns)
>         ...
> 
> (note that insns is initialized to NULL).
> 

Just use kcalloc, it will do the right thing for you.

- Lars
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ