| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZlBlorsBMPK0RdnR@dwarf.suse.cz>
Date: Fri, 24 May 2024 12:02:10 +0200
From: Jiri Bohac <jbohac@...e.cz>
To: cve@...nel.org, linux-kernel@...r.kernel.org
Cc: linux-cve-announce@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Eric Biederman <ebiederm@...ssion.com>, kexec@...ts.infradead.org
Subject: Re: CVE-2023-52823: kernel: kexec: copy user-array safely
On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote:
> kernel: kexec: copy user-array safely
>
> Currently, there is no overflow-check with memdup_user().
This is false.
Therefore, I'd like to dispute this CVE.
The overflow check is in the kexec_load_check()
function called shortly before the memdup_user() call:
SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
struct kexec_segment __user *, segments, unsigned long, flags)
{
result = kexec_load_check(nr_segments, flags);
if (result)
return result;
...
ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
...
}
#define KEXEC_SEGMENT_MAX 16
static inline int kexec_load_check(unsigned long nr_segments,
unsigned long flags)
{
...
if (nr_segments > KEXEC_SEGMENT_MAX)
return -EINVAL;
}
Thanks,
--
Jiri Bohac <jbohac@...e.cz>
SUSE Labs, Prague, Czechia
Powered by blists - more mailing lists