| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Jul 2012 22:03:14 +0900
From: Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>,
Andrew Morton <akpm@...ux-foundation.org>,
David Howells <dhowells@...hat.com>,
James Morris <james.l.morris@...cle.com>
Cc: linux-kernel@...r.kernel.org, yrl.pp-manager.tt@...achi.com,
Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andrew Morton <akpm@...ux-foundation.org>,
David Howells <dhowells@...hat.com>,
James Morris <james.l.morris@...cle.com>
Subject: [PATCH] sysctl: fix improper indication of integer sysctl parameter
Hi,
This patch fixes the improper type casting of integer
sysctl parameters.
When we read the sysctl parameter, they are always treated
as signed integer, and are casted into unsigned long type
in the current kernel. If we set a value equivalent to
(the maximum value in signed integer + 1) which is a power
of 2 and just causes the overflow, they outputs unexpected
value.
This bug can be reproduced as follows.
Example)
# echo $((1<<31)) > /proc/sys/fs/lease-break-time
# cat /proc/sys/fs/lease-break-time
-18446744071562067968
(It should be -2147483648.)
or
# echo XXX > /proc/sys/fs/pipe-max-size
(where XXX is an arbitrary number between (1<<30 + 1) and
(1<<31 - 1) since the pipe-max-size is rounded up to a
power of 2 in kernel.)
# cat /proc/sys/fs/pipe-max-size
-18446744071562067968
(It should be -2147483648.)
To fix this problem, this patch casts the negative integer
into unsigned int type, instead of unsigned long type.
Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: David Howells <dhowells@...hat.com>
Cc: James Morris <james.l.morris@...cle.com>
---
kernel/sysctl.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 97186b9..e282b5b 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1789,7 +1789,7 @@ static int do_proc_dointvec_conv(bool *negp, unsigned long *lvalp,
int val = *valp;
if (val < 0) {
*negp = true;
- *lvalp = (unsigned long)-val;
+ *lvalp = (unsigned int)-val;
} else {
*negp = false;
*lvalp = (unsigned long)val;
@@ -1982,7 +1982,7 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp,
int val = *valp;
if (val < 0) {
*negp = true;
- *lvalp = (unsigned long)-val;
+ *lvalp = (unsigned int)-val;
} else {
*negp = false;
*lvalp = (unsigned long)val;
@@ -2197,7 +2197,7 @@ static int do_proc_dointvec_jiffies_conv(bool *negp, unsigned long *lvalp,
unsigned long lval;
if (val < 0) {
*negp = true;
- lval = (unsigned long)-val;
+ lval = (unsigned int)-val;
} else {
*negp = false;
lval = (unsigned long)val;
@@ -2220,7 +2220,7 @@ static int do_proc_dointvec_userhz_jiffies_conv(bool *negp, unsigned long *lvalp
unsigned long lval;
if (val < 0) {
*negp = true;
- lval = (unsigned long)-val;
+ lval = (unsigned int)-val;
} else {
*negp = false;
lval = (unsigned long)val;
@@ -2241,7 +2241,7 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
unsigned long lval;
if (val < 0) {
*negp = true;
- lval = (unsigned long)-val;
+ lval = (unsigned int)-val;
} else {
*negp = false;
lval = (unsigned long)val;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists