lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <FC1F9E38C0703341A1A750524E2525A9019791E6@XYUS-EX22.xyus.xyratex.com>
Date:	Fri, 2 Dec 2011 08:03:29 -0800
From:	"Mark Salyzyn" <mark_salyzyn@...xyratex.com>
To:	"Haogang Chen" <haogangchen@...il.com>, <aacraid@...ptec.com>
Cc:	<JBottomley@...allels.com>, <linux-scsi@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] SCSI: aacraid: potential integer overflow in aac_get_containers()

NAK

I dispute that it is necessary or worth the additional abstraction,
since MAXIMUM_NUM_CONTAINERS is in the order of 32, and
sizeof(*fsa_dev_ptr) is in the range of 80 bytes ... There is a LONG
road to hoe to get to the point of overload!

kcalloc -> __kmalloc(size_t, flags | __GFP_ZERO);
kzalloc -> kmalloc(size_t, flags | __GFP_ZERO);
kmalloc -> __kmalloc(size_t, flags);

kcalloc can not allocate a larger entity than kzalloc. But alas it can
report that the size has exceeded ULONG_MAX so that part of the patch is
VERY sound.

Sincerely -- Mark Salyzyn

-----Original Message-----
From: linux-scsi-owner@...r.kernel.org
[mailto:linux-scsi-owner@...r.kernel.org] On Behalf Of Haogang Chen
Sent: Wednesday, November 30, 2011 9:30 PM
To: aacraid@...ptec.com
Cc: JBottomley@...allels.com; linux-scsi@...r.kernel.org;
linux-kernel@...r.kernel.org; haogangchen@...il.com
Subject: [PATCH] SCSI: aacraid: potential integer overflow in
aac_get_containers()

There is a potential integer overflow in aac_get_containers(). When
maximum_num_containers is large, the subsequent call to kzalloc() will
allocate a buffer smaller than expected, which leads to memory
corruption in the for loop.

The patch replaces kzalloc with kcalloc.

Signed-off-by: Haogang Chen <haogangchen@...il.com>
---
 drivers/scsi/aacraid/aachba.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/aacraid/aachba.c
b/drivers/scsi/aacraid/aachba.c
index 409f580..440b84d 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -381,7 +381,7 @@ int aac_get_containers(struct aac_dev *dev)
 
 	if (maximum_num_containers < MAXIMUM_NUM_CONTAINERS)
 		maximum_num_containers = MAXIMUM_NUM_CONTAINERS;
-	fsa_dev_ptr = kzalloc(sizeof(*fsa_dev_ptr) *
maximum_num_containers,
+	fsa_dev_ptr = kcalloc(maximum_num_containers,
sizeof(*fsa_dev_ptr), 
 			GFP_KERNEL);
 	if (!fsa_dev_ptr)
 		return -ENOMEM;
-- 
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ