| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ed14a180-56c8-40f2-acf7-26a787eb3769@suswa.mountain>
Date: Thu, 19 Sep 2024 11:12:30 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Chuck Lever <chuck.lever@...cle.com>
Cc: Jeff Layton <jlayton@...nel.org>, Neil Brown <neilb@...e.de>,
Olga Kornievskaia <okorniev@...hat.com>,
Dai Ngo <Dai.Ngo@...cle.com>, Tom Talpey <tom@...pey.com>,
linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: [PATCH v2] nfsd: prevent integer overflow in decode_cb_compound4res()
If "length" is >= U32_MAX - 3 then the "length + 4" addition can result
in an integer overflow. The impact of this bug is not totally clear to
me, but it's safer to not allow the integer overflow.
Check that "length" is valid right away before doing any math.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
v2: Check that "len" is valid instead of just checking for integer
overflows.
fs/nfsd/nfs4callback.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 43b8320c8255..0f5b7b6fba74 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -317,6 +317,8 @@ static int decode_cb_compound4res(struct xdr_stream *xdr,
hdr->status = be32_to_cpup(p++);
/* Ignore the tag */
length = be32_to_cpup(p++);
+ if (unlikely(length > xdr->buf->len))
+ goto out_overflow;
p = xdr_inline_decode(xdr, length + 4);
if (unlikely(p == NULL))
goto out_overflow;
--
2.34.1
Powered by blists - more mailing lists