lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 18 Jun 2018 08:10:23 -0500
From:   Dave Kleikamp <dave.kleikamp@...cle.com>
To:     Nikolay Borisov <nborisov@...e.com>
Cc:     jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        shankarapailoor@...il.com
Subject: Re: [PATCH] jfs: Fix buffer overrun in ea_get

On 06/18/2018 03:38 AM, Nikolay Borisov wrote:
> Currently ea_buf->xattr buffer is allocated with min(min_size, ea_size).
> This is wrong since after the xattr buffer is allocated the ->max_size
> variable is actually rounded up to th next ->s_blocksize size. Fix this
> by using the rounded up max_size as input to the malloc.
> 
> Suggested-by: Shankara Pailoor <shankarapailoor@...il.com>
> Reported-by: Shankara Pailoor <shankarapailoor@...il.com>
> CC: shankarapailoor@...il.com
> Signed-off-by: Nikolay Borisov <nborisov@...e.com>
> ---
> Hello David, 
> 
> I'm sending you the patch for the issue which was originally reported and 
> suggested by Shankar.  I won't usually got and override the original 
> author of a patch but given the clear lack of experience with upstream (missing 
> SOB line, no changelog explaining the change etc) and the 
> fact there is already a CVE for this issue (using syzkaller for quick CVE 
> generation seems to be all the rage these days, go figure...) I'd rather have 
> an upstream, backportable version sooner rather than later. 

Thanks, but I already had Shankar's patch in the linux-next build. I was
out on vacation so I didn't get it pushed to Linus as soon as I would
have liked, but did so this morning.

I appreciate your effort.

Shaggy

> 
>  fs/jfs/xattr.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
> index c60f3d32ee91..96b9355ff69a 100644
> --- a/fs/jfs/xattr.c
> +++ b/fs/jfs/xattr.c
> @@ -493,14 +493,14 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
>  		 * To keep the rest of the code simple.  Allocate a
>  		 * contiguous buffer to work with
>  		 */
> -		ea_buf->xattr = kmalloc(size, GFP_KERNEL);
> -		if (ea_buf->xattr == NULL)
> -			return -ENOMEM;
> -
>  		ea_buf->flag = EA_MALLOC;
>  		ea_buf->max_size = (size + sb->s_blocksize - 1) &
>  		    ~(sb->s_blocksize - 1);
>  
> +		ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
> +		if (ea_buf->xattr == NULL)
> +			return -ENOMEM;
> +
>  		if (ea_size == 0)
>  			return 0;
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ