linux-kernel - A divide by zero bug in lib/math/rational.c (with triggering input)

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date:   Fri, 21 May 2021 13:09:13 +0800
From:   Yiyuan guo <yguoaz@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     andy@...nel.org, tpiepho@...il.com, akpm@...ux-foundation.org,
        oskar@...ra.com, Yiyuan guo <yguoaz@...il.com>
Subject: A divide by zero bug in lib/math/rational.c (with triggering input)

In the file lib/math/rational.c, the function
rational_best_approximation has the following
code:

void rational_best_approximation(
    unsigned long given_numerator, unsigned long given_denominator,
    unsigned long max_numerator, unsigned long max_denominator,
    unsigned long *best_numerator, unsigned long *best_denominator) {
   ...
   if ((n2 > max_numerator) || (d2 > max_denominator)) {
            unsigned long t = min((max_numerator - n0) / n1,
                          (max_denominator - d0) / d1);
   ...
}

d1 may be equal to zero when performing the division, leading to a
divide by zero problem.

One input  to trigger the divide by zero bug is:
rational_best_approximation(31415, 100, (1 << 8) - 1, (1 << 5) - 1, &n, &d)