| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <FFE931C2-DE41-4AD8-866B-FD37C1493590@oracle.com>
Date: Wed, 14 Nov 2018 03:35:25 -0700
From: William Kucharski <william.kucharski@...cle.com>
To: "Isaac J. Manjarres" <isaacm@...eaurora.org>
Cc: Kees Cook <keescook@...omium.org>, crecklin@...hat.com,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
psodagud@...eaurora.org, tsoni@...eaurora.org,
stable@...r.kernel.org
Subject: Re: [PATCH] mm/usercopy: Use memory range to be accessed for
wraparound check
> On Nov 13, 2018, at 5:51 PM, Isaac J. Manjarres <isaacm@...eaurora.org> wrote:
>
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> index 852eb4e..0293645 100644
> --- a/mm/usercopy.c
> +++ b/mm/usercopy.c
> @@ -151,7 +151,7 @@ static inline void check_bogus_address(const unsigned long ptr, unsigned long n,
> bool to_user)
> {
> /* Reject if object wraps past end of memory. */
> - if (ptr + n < ptr)
> + if (ptr + (n - 1) < ptr)
> usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);
I'm being paranoid, but is it possible this routine could ever be passed "n" set to zero?
If so, it will erroneously abort indicating a wrapped address as (n - 1) wraps to ULONG_MAX.
Easily fixed via:
if ((n != 0) && (ptr + (n - 1) < ptr))
William Kucharski
Powered by blists - more mailing lists