lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <34EC51E0-6759-40B6-A3E5-02871FD32979@linuxhacker.ru>
Date:	Tue, 29 Apr 2014 23:31:13 -0400
From:	Oleg Drokin <green@...uxhacker.ru>
To:	Dan Carpenter <dan.carpenter@...cle.com>
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org, devel@...verdev.osuosl.org,
	James Nunez <james.a.nunez@...el.com>
Subject: Re: [PATCH 18/47] staging/lustre/hsm: HSM requests not delivered

On Apr 29, 2014, at 5:08 AM, Dan Carpenter wrote:

> On Sun, Apr 27, 2014 at 01:06:42PM -0400, Oleg Drokin wrote:
>> diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c
>> index 7fbc18e..c391b60 100644
>> --- a/drivers/staging/lustre/lustre/llite/dir.c
>> +++ b/drivers/staging/lustre/lustre/llite/dir.c
>> @@ -1804,6 +1804,11 @@ out_rmdir:
>> 		/* Compute the whole struct size */
>> 		totalsize = hur_len(hur);
> hur_len() has an integer overflow bug.

Indeed. Thanks.

The below check for the MDS_MAXREQSIZE was aimed at fixing it, I guess. But it's obviously flawed.

>> 		OBD_FREE_PTR(hur);
>> +
>> +		/* Final size will be more than double totalsize */
>> +		if (totalsize >= MDS_MAXREQSIZE / 3)
>> +			return -E2BIG;
> "totalsize" is signed and this condition doesn't take negatives into
> consideration.  Make totalsize unsigned.

In fact we should just enforce a max limit on item count in hur structure above
and that would take care of both the overflow and here.

>> +
>> 		OBD_ALLOC_LARGE(hur, totalsize);
> How do we know that "totalsize" is more than sizeof(*hur)?  If we fixed
> the overflow bug then maybe this isn't a problem.  I haven't looked.

hur_size calculates total size as size of the struct hur (but using offset_of of it's last member that's a zero-sized array + whatever the size of the follow on items.

Bye,
    Oleg--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ