lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170901082416.2mdhdpp46ismg2kp@mwanda>
Date:   Fri, 1 Sep 2017 11:24:16 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Dison River <pwn2river@...il.com>
Cc:     sathya.prakash@...adcom.com, chaitra.basappa@...adcom.com,
        suganath-prabu.subramani@...adcom.com,
        MPT-FusionLinux.pdl@...adcom.com, linux-scsi@...r.kernel.org,
        linux-kernel@...r.kernel.org, security@...nel.org
Subject: Re: Buffer overflow in the mptctl_replace_fw() function in linux
 kernel MPT ioctl driver

On Fri, Sep 01, 2017 at 02:00:48PM +0800, Dison River wrote:
>     newFwSize = ALIGN(karg.newImageSize, 4);

This is an integer overflow, but it's harmless...  As a static checker
developer this is where I would print a warning:
drivers/message/fusion/mptctl.c:1748 mptctl_replace_fw() warn: potential integer overflow from user '((karg.newImageSize)) + (((4)) - 1)'
I also caught the integer overflow from two days ago but there are too
many ones like this so I can't check them all.  In mpt_alloc_fw_memory()
there is another potential integer overflow when we do:

	ioc->alloc_total += size;

But ->alloc_total is not used anywhere.

I don't see a buffer overflow here.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ