lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 18 Jun 2022 20:40:26 -0700
From:   Hyunwoo Kim <imv4bel@...il.com>
To:     tim@...erelk.net, axboe@...nel.dk, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] paride: Fixed integer overflow in pt_read and pt_write

In pt_read() and pt_write(), the "size_t count" variable is
assigned to the "int n" variable and then size check is performed.

static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
{
	...
        int k, n, r, p, s, t, b;

	...

        while (count > 0) {

                if (!pt_poll_dsc(tape, HZ / 100, PT_TMO, "write"))
                        return -EIO;

                n = count;
                if (n > 32768)
                        n = 32768;      /* max per command */

If the user passes the SIZE_MAX value to the "count" variable,
the "n" value is greater than 32768, but it becomes a negative
number and passes the size check.
In other words, we need to add a negative check as well,
since the size check makes no sense.

Signed-off-by: Hyunwoo Kim <imv4bel@...il.com>
---
 drivers/block/paride/pt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c
index e815312a00ad..f37aa1349622 100644
--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -787,7 +787,7 @@ static ssize_t pt_read(struct file *filp, char __user *buf, size_t count, loff_t
 			return -EIO;
 
 		n = count;
-		if (n > 32768)
+		if (n > 32768 || n < 0)
 			n = 32768;	/* max per command */
 		b = (n - 1 + tape->bs) / tape->bs;
 		n = b * tape->bs;	/* rounded up to even block */
@@ -888,7 +888,7 @@ static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count,
 			return -EIO;
 
 		n = count;
-		if (n > 32768)
+		if (n > 32768 || n < 0)
 			n = 32768;	/* max per command */
 		b = (n - 1 + tape->bs) / tape->bs;
 		n = b * tape->bs;	/* rounded up to even block */
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ