| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.02.1302202358220.22263@ionos>
Date: Thu, 21 Feb 2013 00:01:07 +0100 (CET)
From: Thomas Gleixner <tglx@...utronix.de>
To: Tejun Heo <tj@...nel.org>
cc: Andrew Morton <akpm@...ux-foundation.org>,
Sasha Levin <sasha.levin@...cle.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] posix-timer: don't call idr_find() w/ out-of-range ID
On Wed, 20 Feb 2013, Tejun Heo wrote:
> When idr_find() is fed a negative ID, it used to look up the ID
> ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
> move left MAX_IDR_* into idr.c") patch, and triggers WARN_ON_ONCE()
> after it.
>
> __lock_timer() feeds timer_id from userland directly to idr_find()
> without sanitizing it which can trigger the above malfunctions. Add a
> range check on @timer_id before invoking idr_find() in __lock_timer().
>
> While timer_t is defined as int by all archs at the moment, Andrew
> worries that it may be defined as a larger type later on. Make the
> test cover larger integers too so that it at least is guaranteed to
> not return the wrong timer.
Again. I totaly agree with that for stable, but I disagree that this
is the real fix.
idr_find() should simply return NULL, if "id < 0". Is it that hard?
Thanks,
tglx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists