lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Mar 2016 16:05:54 +0800 From: lizf@...nel.org To: stable@...r.kernel.org Cc: linux-kernel@...r.kernel.org, Dan Carpenter <dan.carpenter@...cle.com>, "David S. Miller" <davem@...emloft.net>, Zefan Li <lizefan@...wei.com> Subject: [PATCH 3.4 060/107] rds: fix an integer overflow test in rds_info_getsockopt() From: Dan Carpenter <dan.carpenter@...cle.com> 3.4.111-rc1 review patch. If anyone has any objections, please let me know. ------------------ commit 468b732b6f76b138c0926eadf38ac88467dcd271 upstream. "len" is a signed integer. We check that len is not negative, so it goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than INT_MAX so the condition can never be true. I don't know if this is harmful but it seems safe to limit "len" to INT_MAX - 4095. Fixes: a8c879a7ee98 ('RDS: Info and stats') Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Zefan Li <lizefan@...wei.com> --- net/rds/info.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rds/info.c b/net/rds/info.c index 9a6b4f6..140a44a 100644 --- a/net/rds/info.c +++ b/net/rds/info.c @@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval, /* check for all kinds of wrapping and the like */ start = (unsigned long)optval; - if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) { + if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) { ret = -EINVAL; goto out; } -- 1.9.1
Powered by blists - more mailing lists