| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250224095826.16458-1-nicolas.bouchinet@clip-os.org>
Date: Mon, 24 Feb 2025 10:58:15 +0100
From: nicolas.bouchinet@...p-os.org
To: linux-kernel@...r.kernel.org,
linux-rdma@...r.kernel.org,
linux-scsi@...r.kernel.org,
codalist@...a.cs.cmu.edu,
linux-nfs@...r.kernel.org
Cc: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>,
Joel Granados <j.granados@...sung.com>,
Clemens Ladisch <clemens@...isch.de>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jason Gunthorpe <jgg@...pe.ca>,
Leon Romanovsky <leon@...nel.org>,
"James E.J. Bottomley" <James.Bottomley@...senPartnership.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Jan Harkes <jaharkes@...cmu.edu>,
Chuck Lever <chuck.lever@...cle.com>,
Jeff Layton <jlayton@...nel.org>,
Neil Brown <neilb@...e.de>,
Olga Kornievskaia <okorniev@...hat.com>,
Dai Ngo <Dai.Ngo@...cle.com>,
Tom Talpey <tom@...pey.com>,
Trond Myklebust <trondmy@...nel.org>,
Anna Schumaker <anna@...nel.org>,
Bart Van Assche <bvanassche@....org>,
Zhu Yanjun <yanjun.zhu@...ux.dev>,
Al Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>
Subject: [PATCH v2 0/6] Fixes multiple sysctl bound checks
From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
Hi,
This patchset adds some bound checks to sysctls to avoid negative
value writes.
The patched sysctls were storing the result of the proc_dointvec
proc_handler into an unsigned int data. proc_dointvec being able to
parse negative value, and it return value being a signed int, this could
lead to undefined behaviors.
This has led to kernel crash in the past as described in commit
3b3376f222e3 ("sysctl.c: fix underflow value setting risk in vm_table")
They are now bounded between SYSCTL_ZERO and SYSCTL_INT_MAX.
The proc_handlers have thus been updated to proc_dointvec_minmax.
This patchset has been written over sysctl-testing branch [1].
See [2] for similar sysctl fixes currently in review.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl.git/log/?h=sysctl-testing
[2]: https://lore.kernel.org/all/20250115132211.25400-1-nicolas.bouchinet@clip-os.org/
Best regards,
Nicolas
---
Changes since v1:
https://lore.kernel.org/all/20250127142014.37834-1-nicolas.bouchinet@clip-os.org/
* Detached patches 1/9, 2/9 [3] and 3/9 [4]
* Adapted the cover-letter message to match the reduced patchset
[3]: https://lore.kernel.org/all/20250129170633.88574-1-nicolas.bouchinet@clip-os.org/
[4]: https://lore.kernel.org/all/20250128103821.29745-1-nicolas.bouchinet@clip-os.org/
---
Nicolas Bouchinet (6):
sysctl: Fixes idmap_cache_timeout bounds
sysctl: Fixes nsm_local_state bounds
sysctl/coda: Fixes timeout bounds
sysctl: Fixes scsi_logging_level bounds
sysctl/infiniband: Fixes infiniband sysctl bounds
sysctl: Fixes max-user-freq bounds
drivers/char/hpet.c | 4 +++-
drivers/infiniband/core/iwcm.c | 4 +++-
drivers/infiniband/core/ucma.c | 4 +++-
drivers/scsi/scsi_sysctl.c | 4 +++-
fs/coda/sysctl.c | 4 +++-
fs/lockd/svc.c | 4 +++-
fs/nfs/nfs4sysctl.c | 4 +++-
7 files changed, 21 insertions(+), 7 deletions(-)
--
2.48.1
Powered by blists - more mailing lists