lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 Nov 2019 01:54:59 -0800
From:   Maciej Żenczykowski <zenczykowski@...il.com>
To:     Maciej Żenczykowski <maze@...gle.com>
Cc:     Luis Chamberlain <mcgrof@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        Iurii Zaikin <yzaikin@...gle.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linus FS Devel Mailing List <linux-fsdevel@...r.kernel.org>
Subject: [PATCH] proc_do_large_bitmap - return error on writes to non-existant bitmap

From: Maciej Żenczykowski <maze@...gle.com>

Writing to an unallocated bitmap (with echo) results in an infinite
loop - although I'm not clear if this is in kernel or in userspace.

We return ENOMEDIUM 'No medium found', because it's the best error
I could come up with to describe the situation.

(Note: I'm not aware of any actual way to hit this with current
kernel code, I hit this while testing new code, but it still seems
like it should be fixed, especially since it prevented my machine
from booting, and didn't even have the dignity to crash...)

Cc: Luis Chamberlain <mcgrof@...nel.org>
Cc: Kees Cook <keescook@...omium.org>
Cc: Iurii Zaikin <yzaikin@...gle.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Cc: Linus FS Devel Mailing List <linux-fsdevel@...r.kernel.org>
Signed-off-by: Maciej Żenczykowski <maze@...gle.com>
---
 kernel/sysctl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 2c3958d2f463..431966967c99 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -3174,6 +3174,11 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
 	unsigned long *tmp_bitmap = NULL;
 	char tr_a[] = { '-', ',', '\n' }, tr_b[] = { ',', '\n', 0 }, c;
 
+	if (write && (!bitmap || !bitmap_len))
+		/* returning 0 could cause an infinite loop */
+		return -ENOMEDIUM;
+	}
+
 	if (!bitmap || !bitmap_len || !left || (*ppos && !write)) {
 		*lenp = 0;
 		return 0;
-- 
2.24.0.432.g9d3f5f5b63-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ