| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1536100702-28706-1-git-send-email-asmadeus@codewreck.org>
Date: Wed, 5 Sep 2018 00:38:22 +0200
From: Dominique Martinet <asmadeus@...ewreck.org>
To: Omar Sandoval <osandov@...ndov.com>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Dominique Martinet <asmadeus@...ewreck.org>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Alexey Dobriyan <adobriyan@...il.com>,
Eric Biederman <ebiederm@...ssion.com>,
James Morse <james.morse@....com>,
Bhupesh Sharma <bhsharma@...hat.com>, kernel-team@...com
Subject: [PATCH v3] proc/kcore: fix invalid memory access in multi-page read optimization
The 'm' kcore_list item could point to kclist_head, and it is incorrect to
look at m->addr / m->size in this case.
There is no choice but to run through the list of entries for every address
if we did not find any entry in the previous iteration
Reset 'm' to NULL in that case at Omar Sandoval's suggestion.
Fixes: bf991c2231117 ("proc/kcore: optimize multiple page reads")
Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
---
Sorry, resent v2 because From didn't match sob tag
fs/proc/kcore.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index ad72261ee3fe..578926032880 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -464,6 +464,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
ret = -EFAULT;
goto out;
}
+ m = NULL;
} else if (m->type == KCORE_VMALLOC) {
vread(buf, (char *)start, tsz);
/* we have to zero-fill user buffer even if no read */
--
2.17.1
Powered by blists - more mailing lists