lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20211018173511.26542-1-skhan@linuxfoundation.org>
Date:   Mon, 18 Oct 2021 11:35:11 -0600
From:   Shuah Khan <skhan@...uxfoundation.org>
To:     mcgrof@...nel.org, jeyu@...nel.org
Cc:     Shuah Khan <skhan@...uxfoundation.org>,
        linux-kernel@...r.kernel.org
Subject: [PATCH v2] module: fix validate_section_offset() overflow bug on 64-bit

validate_section_offset() uses unsigned long local variable to
add/store shdr->sh_offset and shdr->sh_size on all platforms.
unsigned long is too short when sh_offset is Elf64_Off which
would be the case on 64bit ELF headers.

This problem was found while adding an error message to print
sh_offset and sh_size. If sh_offset + sh_size exceed the size
of the local variable, the checks for overflow and offset/size
being too large will not find the problem and call the section
offset valid. This failure might cause problems later on.

Fix the overflow problem using the right size local variable when
CONFIG_64BIT is defined.

Signed-off-by: Shuah Khan <skhan@...uxfoundation.org>
---
Changes since v1:
- Updated commit log to describe the fix clearly. No code
  changes.

 kernel/module.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/module.c b/kernel/module.c
index ad03a2357377..84a9141a5e15 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2942,7 +2942,11 @@ static int module_sig_check(struct load_info *info, int flags)
 
 static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr)
 {
+#if defined(CONFIG_64BIT)
+	unsigned long long secend;
+#else
 	unsigned long secend;
+#endif
 
 	/*
 	 * Check for both overflow and offset/size being
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ