lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240620133546.kn7fde2u76llpn5z@quack3>
Date: Thu, 20 Jun 2024 15:35:46 +0200
From: Jan Kara <jack@...e.cz>
To: Roman Smirnov <r.smirnov@....ru>
Cc: Jan Kara <jack@...e.com>, linux-kernel@...r.kernel.org,
	Sergey Shtylyov <s.shtylyov@....ru>, lvc-project@...uxtesting.org
Subject: Re: [PATCH v2] udf: balloc: prevent integer overflow in
 udf_bitmap_free_blocks()

On Thu 20-06-24 10:24:13, Roman Smirnov wrote:
> An overflow may occur if the function is called with the last
> block and an offset greater than zero. It is necessary to add
> a check to avoid this.
> 
> Overflow is also possible when we sum offset and
> sizeof(struct spaceBitmapDesc) << 3. For this reason it
> is necessary to check overflow of this too. The result is
> stored in total_offset.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Suggested-by: Jan Kara <jack@...e.com>
> Signed-off-by: Roman Smirnov <r.smirnov@....ru>

Thanks for the patch. In the end I've noticed that unalloc table block
freeing has the same overflow checks and I've decided to move bitmap offset
overflow verification into mount code (so that any bitmap offset for a
block within a partition cannot overflow u32). The resulting patches are
attached for reference and I've queued them in my tree.

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

View attachment "0001-udf-prevent-integer-overflow-in-udf_bitmap_free_bloc.patch" of type "text/x-patch" (3603 bytes)

View attachment "0001-udf-Avoid-excessive-partition-lengths.patch" of type "text/x-patch" (2091 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ