| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <49b082c828e3f6772094f44a93d07040d4970c64.camel@intel.com>
Date: Tue, 25 Sep 2018 10:39:58 -0700
From: Yu-cheng Yu <yu-cheng.yu@...el.com>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>, Oleg Nesterov <oleg@...hat.com>
Subject: Re: [PATCH] binfmt_elf: Fix core dump memory corruption
On Tue, 2018-07-17 at 09:25 -0700, Yu, Yu-cheng wrote:
> In fill_note_info(), we kzalloc elf_thread_core_info.notes[] only
> for (core_note_type != 0) regsets. However, in
> fill_thread_core_info(), we still leave empty notes and go beyond
> the allocated size. Fix it.
>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@...el.com>
> ---
> fs/binfmt_elf.c | 14 ++++++++------
> 1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 816cc921cf36..6f42e05d2833 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -1723,7 +1723,8 @@ static int fill_thread_core_info(struct
> elf_thread_core_info *t,
> const struct user_regset_view *view,
> long signr, size_t *total)
> {
> - unsigned int i;
> + unsigned int i; /* index to regsets */
> + unsigned int j; /* index to notes */
> unsigned int regset0_size = regset_size(t->task, &view->regsets[0]);
>
> /*
> @@ -1744,9 +1745,9 @@ static int fill_thread_core_info(struct
> elf_thread_core_info *t,
>
> /*
> * Each other regset might generate a note too. For each regset
> - * that has no core_note_type or is inactive, we leave t->notes[i]
> - * all zero and we'll know to skip writing it later.
> + * that has no core_note_type or is inactive, we skip it.
> */
> + j = 1;
> for (i = 1; i < view->n; ++i) {
> const struct user_regset *regset = &view->regsets[i];
> do_thread_regset_writeback(t->task, regset);
> @@ -1763,17 +1764,18 @@ static int fill_thread_core_info(struct
> elf_thread_core_info *t,
> kfree(data);
> else {
> if (regset->core_note_type != NT_PRFPREG)
> - fill_note(&t->notes[i], "LINUX",
> + fill_note(&t->notes[j], "LINUX",
> regset->core_note_type,
> size, data);
> else {
> SET_PR_FPVALID(&t->prstatus,
> 1, regset0_size);
> - fill_note(&t->notes[i], "CORE",
> + fill_note(&t->notes[j], "CORE",
> NT_PRFPREG, size, data);
> }
> - *total += notesize(&t->notes[i]);
> + *total += notesize(&t->notes[j]);
> }
> + j++;
> }
> }
>
> --
> 2.17.1
>
Hi All,
Any comments on this?
Thanks,
Yu-cheng
Powered by blists - more mailing lists