lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20241002122909.ak4itmqzg4b2icsx@quack3>
Date: Wed, 2 Oct 2024 14:29:09 +0200
From: Jan Kara <jack@...e.cz>
To: Gianfranco Trad <gianf.trad@...il.com>
Cc: jack@...e.com, linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
	syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
Subject: Re: [PATCH v2] udf: fix uninit-value use in udf_get_fileshortad

On Wed 25-09-24 09:46:15, Gianfranco Trad wrote:
> Check for overflow when computing alen in udf_current_aext to mitigate
> later uninit-value use in udf_get_fileshortad KMSAN bug[1].
> After applying the patch reproducer did not trigger any issue[2].
> 
> [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
> [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
> 
> Reported-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
> Tested-by: syzbot+8901c4560b7ab5c2f9df@...kaller.appspotmail.com
> Suggested-by: Jan Kara <jack@...e.com>
> Signed-off-by: Gianfranco Trad <gianf.trad@...il.com>

Thanks. I've added the patch to my tree.

								Honza

> ---
> 
> Notes:
> 	changes in v2:
> 		- use check_add_overflow helper to check for overflow.
> 	
> 	link to v1: https://lore.kernel.org/all/20240919195227.412583-1-gianf.trad@gmail.com/T/
> 
>  fs/udf/inode.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/udf/inode.c b/fs/udf/inode.c
> index 4726a4d014b6..811a035b600f 100644
> --- a/fs/udf/inode.c
> +++ b/fs/udf/inode.c
> @@ -2215,9 +2215,10 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos,
>  		if (!epos->offset)
>  			epos->offset = sizeof(struct allocExtDesc);
>  		ptr = epos->bh->b_data + epos->offset;
> -		alen = sizeof(struct allocExtDesc) +
> -			le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)->
> -							lengthAllocDescs);
> +		if (check_add_overflow(sizeof(struct allocExtDesc),
> +					le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)
> +						->lengthAllocDescs), &alen))
> +			return -1;
>  	}
>  
>  	switch (iinfo->i_alloc_type) {
> -- 
> 2.43.0
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ