lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Sun, 29 Nov 2015 11:02:11 -0300
From:	Geyslan Gregório Bem <geyslan@...il.com>
To:	Tony Luck <tony.luck@...el.com>, Fenghua Yu <fenghua.yu@...el.com>,
	linux-ia64@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: [RFC] arch/ia64/kernel/palinfo.c: bitvector_process reading out of bounds

Hello,

I'm doing some static analysis and stumbled in this function

static void bitvector_process(struct seq_file *m, u64 vector)
{
    int i,j;
    static const char *units[]={ "", "K", "M", "G", "T" };

    for (i=0, j=0; i < 64; i++ , j=i/10) {
        if (vector & 0x1)
            seq_printf(m, "%d%s ", 1 << (i-j*10), units[j]);
        vector >>= 1;
    }
}

It appears that units[] (5 elements) can be accessed out of bounds in
seq_printf call

            seq_printf(m, "%d%s ", 1 << (i-j*10), units[j]);

once j is being set to i/10.

i goes from 0 to 63 (u64 bits length), and when vector & 1 (odd),
units[j] will calculate outside the boundaries when vector get close
to Petabyte magnitude.

Well, as bitvector_process doesn't control the max size of vector and
the future is knocking on door, I would suggest this change

-static const char *units[]={ "", "K", "M", "G", "T" };
+static const char *units[]={ "", "K", "M", "G", "T", "P", "E" };

then if the u64 max value (18446744073709551615) is used the array
will provide the correct (E) suffix.

If that change is not pertinent I would like to know why.

-- 
Regards,

Geyslan G. Bem
hackingbits.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists