| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Sep 2013 14:01:11 -0700 From: Kees Cook <kees@...flux.net> To: Wolfram Gloger <wg@...loc.de> Cc: dvyukov@...gle.com, ak@...ux.intel.com, linux-kernel@...r.kernel.org, pjt@...gle.com, andreyknvl@...gle.com, kcc@...gle.com, x86@...nel.org Subject: Re: Out-of-bounds access in get_wchan (arch/x86/kernel/process_64.c) On Sat, Sep 28, 2013 at 09:51:14PM +0200, Wolfram Gloger wrote: > Kees Cook <kees@...flux.net> writes: > > > Please note that these bounds checks aren't correct to begin with. Since > > a pointer is being dereferenced, the end boundry must be reduced by > > sizeof(unsigned long) as well. > > > > It looks like process_32.c suffers the same problems, too. > > I can't see the end boundary problem in process_32.c. The end checks > are properly reduced with the top_esp and top_ebp macros. > > All I can see in process_32.c is that the check > > if (bp < stack_page || bp > top_ebp+stack_page) > > could be replaced by: > > if (bp < stack_page-sizeof(unsigned long) || bp > top_ebp+stack_page) > > but that is a relaxation and not an over/underrun fix. > > Can you elaborate what problem you see in process_32.c? Ah, yes, sorry, this appears to only be a problem in process_64.c. I didn't look closely enough. I see now that top_esp and top_ebp correctly reduce the size of THREAD_SIZE. Thanks! -Kees -- Kees Cook @outflux.net -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists