| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200504195937.GS11244@42.do-not-panic.com>
Date: Mon, 4 May 2020 19:59:37 +0000
From: Luis Chamberlain <mcgrof@...nel.org>
To: Kees Cook <keescook@...omium.org>
Cc: Christoph Hellwig <hch@....de>, Iurii Zaikin <yzaikin@...gle.com>,
Alexey Dobriyan <adobriyan@...il.com>, linux-mm@...ck.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] sysctl: Make sure proc handlers can't expose heap memory
On Mon, May 04, 2020 at 12:08:55PM -0700, Kees Cook wrote:
> Just as a precaution, make sure that proc handlers don't accidentally
> grow "count" beyond the allocated kbuf size.
>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> This applies to hch's sysctl cleanup tree...
> ---
> fs/proc/proc_sysctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 15030784566c..535ab26473af 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
> struct inode *inode = file_inode(filp);
> struct ctl_table_header *head = grab_header(inode);
> struct ctl_table *table = PROC_I(inode)->sysctl_entry;
> + size_t count_max = count;
> void *kbuf;
> ssize_t error;
>
> @@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
>
> if (!write) {
> error = -EFAULT;
> + if (WARN_ON(count > count_max))
> + count = count_max;
That crash a system with panic-on-warn. I don't think we want that?
Luis
Powered by blists - more mailing lists