| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202005041205.C7AF4AF@keescook>
Date: Mon, 4 May 2020 12:08:55 -0700
From: Kees Cook <keescook@...omium.org>
To: Christoph Hellwig <hch@....de>
Cc: Luis Chamberlain <mcgrof@...nel.org>,
Iurii Zaikin <yzaikin@...gle.com>,
Alexey Dobriyan <adobriyan@...il.com>, linux-mm@...ck.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] sysctl: Make sure proc handlers can't expose heap memory
Just as a precaution, make sure that proc handlers don't accidentally
grow "count" beyond the allocated kbuf size.
Signed-off-by: Kees Cook <keescook@...omium.org>
---
This applies to hch's sysctl cleanup tree...
---
fs/proc/proc_sysctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 15030784566c..535ab26473af 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
struct inode *inode = file_inode(filp);
struct ctl_table_header *head = grab_header(inode);
struct ctl_table *table = PROC_I(inode)->sysctl_entry;
+ size_t count_max = count;
void *kbuf;
ssize_t error;
@@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
if (!write) {
error = -EFAULT;
+ if (WARN_ON(count > count_max))
+ count = count_max;
if (copy_to_user(ubuf, kbuf, count))
goto out_free_buf;
}
--
2.20.1
--
Kees Cook
Powered by blists - more mailing lists