lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20140131151651.26ff54cd7bd06fc5feb6fcc6@linux-foundation.org>
Date:	Fri, 31 Jan 2014 15:16:51 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Greg Pearson <greg.pearson@...com>
Cc:	vgoyal@...hat.com, d.hatayama@...fujitsu.com,
	holzheu@...ux.vnet.ibm.com, dhowells@...hat.com,
	paul.gortmaker@...driver.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vmcore: prevent PT_NOTE p_memsz overflow during header
 update

On Fri, 31 Jan 2014 16:06:06 -0700 Greg Pearson <greg.pearson@...com> wrote:

> Currently, update_note_header_size_elf64() and
> update_note_header_size_elf32() will add the size
> of a PT_NOTE entry to real_sz even if that causes real_sz
> to exceeds max_sz. This patch corrects the while loop logic
> in those routines to ensure that does not happen.
> 
> ...
>
> Occasionally, a second entry is encountered with very
> large n_namesz and n_descsz sizes:
> 
>   n_namesz = 0x80000008
>   n_descsz = 0x510ae163
>   n_type   = 0x80000008

Hang on.

> --- a/fs/proc/vmcore.c
> +++ b/fs/proc/vmcore.c
> @@ -468,12 +468,13 @@ static int __init update_note_header_size_elf64(const Elf64_Ehdr *ehdr_ptr)
>  			return rc;
>  		}
>  		nhdr_ptr = notes_section;
> -		while (real_sz < max_sz) {
> -			if (nhdr_ptr->n_namesz == 0)
> -				break;
> +		while (nhdr_ptr->n_namesz != 0) {
>  			sz = sizeof(Elf64_Nhdr) +
>  				((nhdr_ptr->n_namesz + 3) & ~3) +
>  				((nhdr_ptr->n_descsz + 3) & ~3);
> +			/* Silently drop further PT_NOTE entries */
> +			if ((real_sz + sz) > max_sz)
> +				break;

If we are encountering notes with these crazy sizes then what is
preventing (real_sx + sz) from wrapping through zero, which would
defeat this check?


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ