lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 19 Nov 2013 01:20:43 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	"Charley (Hao Chuan) Chu" <charley.chu@...adcom.com>
Cc:	"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
	"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] FS: Fixed buffer overflow issue in seq_read()

On Tue, Nov 19, 2013 at 12:18:41AM +0000, Charley (Hao Chuan) Chu wrote:
> The buffer count is not initialized when a new buffer is allocated. 
> 
> It cause kernel crash with "Unable to handle kernel paging
> request..." error in __copy_to_user_std(). It happens when a 
> memory allocation failure in the while(1)-loop, which left the 
> buffer count (m->count) is larger than buffer size 
> (m->size).  
> 
> This patch is currently against a linux 3.12 kernel

The bug is real, but I don't like the fix.  First of all, m->from is
a red herring - it's not even looked at if m->count is 0.  The real
bug is that m->count is not cleared when m->buf is freed - at those
points we have zero bytes of valid contents reachable via m->buf.

What's more, one of those two points (in seq_read()) has cleaning of
->count right after successful kmalloc() following that kfree(), so
it just needs to be moved up a bit.  The other one (in traverse())
is missing.  So how about this:

seq_file: always clear m->count when we free m->buf

Once we'd freed m->buf, m->count should become zero - we have no
valid contents reachable via m->buf.

Reported-by: Charley (Hao Chuan) Chu <charley.chu@...adcom.com>
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
---
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 1cd2388..1d641bb 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -136,6 +136,7 @@ static int traverse(struct seq_file *m, loff_t offset)
 Eoverflow:
 	m->op->stop(m, p);
 	kfree(m->buf);
+	m->count = 0;
 	m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
 	return !m->buf ? -ENOMEM : -EAGAIN;
 }
@@ -232,10 +233,10 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
 			goto Fill;
 		m->op->stop(m, p);
 		kfree(m->buf);
+		m->count = 0;
 		m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
 		if (!m->buf)
 			goto Enomem;
-		m->count = 0;
 		m->version = 0;
 		pos = m->index;
 		p = m->op->start(m, &pos);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ