lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120731130314.24441.85882.stgit@ltc137.sdl.hitachi.co.jp>
Date:	Tue, 31 Jul 2012 22:03:14 +0900
From:	Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	David Howells <dhowells@...hat.com>,
	James Morris <james.l.morris@...cle.com>
Cc:	linux-kernel@...r.kernel.org, yrl.pp-manager.tt@...achi.com,
	Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	David Howells <dhowells@...hat.com>,
	James Morris <james.l.morris@...cle.com>
Subject: [PATCH] sysctl: fix improper indication of integer sysctl parameter

Hi,

This patch fixes the improper type casting of integer
sysctl parameters.

When we read the sysctl parameter, they are always treated
as signed integer, and are casted into unsigned long type
in the current kernel. If we set a value equivalent to
(the maximum value in signed integer + 1) which is a power
of 2 and just causes the overflow, they outputs unexpected
value.

This bug can be reproduced as follows.

Example)
 # echo $((1<<31)) > /proc/sys/fs/lease-break-time
 # cat /proc/sys/fs/lease-break-time
 -18446744071562067968
   (It should be -2147483648.)
or
 # echo XXX > /proc/sys/fs/pipe-max-size
   (where XXX is an arbitrary number between (1<<30 + 1) and
    (1<<31 - 1) since the pipe-max-size is rounded up to a
    power of 2 in kernel.)
 # cat /proc/sys/fs/pipe-max-size
 -18446744071562067968
   (It should be -2147483648.)

To fix this problem, this patch casts the negative integer
into unsigned int type, instead of unsigned long type.

Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@...achi.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: David Howells <dhowells@...hat.com>
Cc: James Morris <james.l.morris@...cle.com>
---

 kernel/sysctl.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 97186b9..e282b5b 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1789,7 +1789,7 @@ static int do_proc_dointvec_conv(bool *negp, unsigned long *lvalp,
 		int val = *valp;
 		if (val < 0) {
 			*negp = true;
-			*lvalp = (unsigned long)-val;
+			*lvalp = (unsigned int)-val;
 		} else {
 			*negp = false;
 			*lvalp = (unsigned long)val;
@@ -1982,7 +1982,7 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp,
 		int val = *valp;
 		if (val < 0) {
 			*negp = true;
-			*lvalp = (unsigned long)-val;
+			*lvalp = (unsigned int)-val;
 		} else {
 			*negp = false;
 			*lvalp = (unsigned long)val;
@@ -2197,7 +2197,7 @@ static int do_proc_dointvec_jiffies_conv(bool *negp, unsigned long *lvalp,
 		unsigned long lval;
 		if (val < 0) {
 			*negp = true;
-			lval = (unsigned long)-val;
+			lval = (unsigned int)-val;
 		} else {
 			*negp = false;
 			lval = (unsigned long)val;
@@ -2220,7 +2220,7 @@ static int do_proc_dointvec_userhz_jiffies_conv(bool *negp, unsigned long *lvalp
 		unsigned long lval;
 		if (val < 0) {
 			*negp = true;
-			lval = (unsigned long)-val;
+			lval = (unsigned int)-val;
 		} else {
 			*negp = false;
 			lval = (unsigned long)val;
@@ -2241,7 +2241,7 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
 		unsigned long lval;
 		if (val < 0) {
 			*negp = true;
-			lval = (unsigned long)-val;
+			lval = (unsigned int)-val;
 		} else {
 			*negp = false;
 			lval = (unsigned long)val;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ