| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 Jun 2018 15:05:21 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, "Randy Dunlap" <rdunlap@...radead.org>,
"Michael Kerrisk" <mtk.manpages@...il.com>,
"Jens Axboe" <axboe@...nel.dk>,
"Mikulas Patocka" <mpatocka@...hat.com>,
"Joe Lawrence" <joe.lawrence@...hat.com>,
"Al Viro" <viro@...iv.linux.org.uk>,
"Josh Poimboeuf" <jpoimboe@...hat.com>,
"Linus Torvalds" <torvalds@...ux-foundation.org>
Subject: [PATCH 3.16 209/410] sysctl: check for UINT_MAX before unsigned
int min/max
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joe Lawrence <joe.lawrence@...hat.com>
commit fb910c42ccebf853c29296185c45c11164a56098 upstream.
Mikulas noticed in the existing do_proc_douintvec_minmax_conv() and
do_proc_dopipe_max_size_conv() introduced in this patchset, that they
inconsistently handle overflow and min/max range inputs:
For example:
0 ... param->min - 1 ---> ERANGE
param->min ... param->max ---> the value is accepted
param->max + 1 ... 0x100000000L + param->min - 1 ---> ERANGE
0x100000000L + param->min ... 0x100000000L + param->max ---> EINVAL
0x100000000L + param->max + 1, 0x200000000L + param->min - 1 ---> ERANGE
0x200000000L + param->min ... 0x200000000L + param->max ---> EINVAL
0x200000000L + param->max + 1, 0x300000000L + param->min - 1 ---> ERANGE
In do_proc_do*() routines which store values into unsigned int variables
(4 bytes wide for 64-bit builds), first validate that the input unsigned
long value (8 bytes wide for 64-bit builds) will fit inside the smaller
unsigned int variable. Then check that the unsigned int value falls
inside the specified parameter min, max range. Otherwise the unsigned
long -> unsigned int conversion drops leading bits from the input value,
leading to the inconsistent pattern Mikulas documented above.
Link: http://lkml.kernel.org/r/1507658689-11669-5-git-send-email-joe.lawrence@redhat.com
Signed-off-by: Joe Lawrence <joe.lawrence@...hat.com>
Reported-by: Mikulas Patocka <mpatocka@...hat.com>
Reviewed-by: Mikulas Patocka <mpatocka@...hat.com>
Cc: Al Viro <viro@...iv.linux.org.uk>
Cc: Jens Axboe <axboe@...nel.dk>
Cc: Michael Kerrisk <mtk.manpages@...il.com>
Cc: Randy Dunlap <rdunlap@...radead.org>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
[bwh: Backported to 3.16:
- Drop changes in do_proc_douintvec_minmax_conv()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2233,17 +2233,18 @@ static int do_proc_dopipe_max_size_conv(
struct do_proc_dopipe_max_size_conv_param *param = data;
if (write) {
- unsigned int val = round_pipe_size(*lvalp);
+ unsigned int val;
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
+ val = round_pipe_size(*lvalp);
if (*negp || val == 0)
return -EINVAL;
if (param->min && *param->min > val)
return -ERANGE;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
-
*valp = val;
} else {
unsigned int val = *valp;
Powered by blists - more mailing lists