| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171128141148.3pkz6pwteuzoo2aa@mwanda>
Date: Tue, 28 Nov 2017 17:11:49 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: David Kershner <david.kershner@...sys.com>
Cc: gregkh@...uxfoundation.org, jes.sorensen@...il.com,
linux-kernel@...r.kernel.org,
driverdev-devel@...uxdriverproject.org, sparmaintainer@...sys.com,
erik.arfvidson@...il.com, wadgaonkarsam@...il.com,
Tim Sell <Timothy.Sell@...sys.com>
Subject: Re: [PATCH 1/2] staging: unisys: visorbus: address theoretical int
overflows
> --- a/drivers/staging/unisys/visorbus/visorchipset.c
> +++ b/drivers/staging/unisys/visorbus/visorchipset.c
> @@ -581,7 +581,8 @@ static void *parser_name_get(struct parser_context *ctx)
> struct visor_controlvm_parameters_header *phdr;
>
> phdr = &ctx->data;
> - if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
> + if ((unsigned long)phdr->name_offset +
> + (unsigned long)phdr->name_length > ctx->param_bytes)
> return NULL;
> ctx->curr = (char *)&phdr + phdr->name_offset;
> ctx->bytes_remaining = phdr->name_length;
I haven't reviewed this code very thouroughly. This should fix the
issue on 64 bit systems, but it's a no-op on 32 bit systems. Which
might be fine? I would be more comfortable if we just checked for
integer overflow explicitly. There are bunch of ways to do that:
if (phdr->name_offset > ctx->param_bytes ||
phdr->name_length > ctx->param_bytes ||
phdr->name_offset + phdr->name_length > ctx->param_bytes)
Or:
if (phdr->name_offset + phdr->name_length < phdr->name_offset ||
phdr->name_offset + phdr->name_length > ctx->param_bytes)
return NULL;
regards,
dan carpenter
Powered by blists - more mailing lists