lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 14 Mar 2016 15:18:56 +0800
From:	Dave Young <dyoung@...hat.com>
To:	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, d.hatayama@...fujitsu.com,
	bhe@...hat.com, vgoyal@...hat.com, kexec@...ts.infradead.org
Cc:	dyoung@...hat.com, nasa4836@...il.com, mhuang@...hat.com
Subject: [PATCH V3] proc-vmcore: wrong data type casting fix

On i686 PAE enabled machine the contiguous physical area could be large
and it can cause trimming down variables in below calculation in
read_vmcore() and mmap_vmcore():

	tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);

That is, the types being used is like below on i686:
m->offset: unsigned long long int
m->size:   unsigned long long int
*fpos:     loff_t (long long int)
buflen:    size_t (unsigned int)

So casting (m->offset + m->size - *fpos) by size_t means truncating a given
value by 4GB.

Suppose (m->offset + m->size - *fpos) being truncated to 0, buflen >0 then
we will get tsz = 0. It is of course not an expected result. Similarly we
could also get other truncated values less than buflen. Then the real size
passed down is not correct any more.

If (m->offset + m->size - *fpos) is above 4GB, read_vmcore or mmap_vmcore
use the min_t result with truncated values being compared to buflen.
Then, fpos proceeds with the wrong value so that we reach below bugs:

1) read_vmcore will refuse to continue so makedumpfile fails.
2) mmap_vmcore will trigger BUG_ON() in remap_pfn_range().

Use unsigned long long in min_t instead so that the variables in  are not
truncated.

Signed-off-by: Baoquan He <bhe@...hat.com>
Signed-off-by: Dave Young <dyoung@...hat.com>
---
v2->v3: tweak patch description about bug details for people to get the
problem easier.
v1->v2: spelling fix in patch log
 fs/proc/vmcore.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- linux-x86.orig/fs/proc/vmcore.c
+++ linux-x86/fs/proc/vmcore.c
@@ -231,7 +231,9 @@ static ssize_t __read_vmcore(char *buffe
 
 	list_for_each_entry(m, &vmcore_list, list) {
 		if (*fpos < m->offset + m->size) {
-			tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);
+			tsz = (size_t)min_t(unsigned long long,
+					    m->offset + m->size - *fpos,
+					    buflen);
 			start = m->paddr + *fpos - m->offset;
 			tmp = read_from_oldmem(buffer, tsz, &start, userbuf);
 			if (tmp < 0)
@@ -461,7 +463,8 @@ static int mmap_vmcore(struct file *file
 		if (start < m->offset + m->size) {
 			u64 paddr = 0;
 
-			tsz = min_t(size_t, m->offset + m->size - start, size);
+			tsz = (size_t)min_t(unsigned long long,
+					    m->offset + m->size - start, size);
 			paddr = m->paddr + start - m->offset;
 			if (vmcore_remap_oldmem_pfn(vma, vma->vm_start + len,
 						    paddr >> PAGE_SHIFT, tsz,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ