lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250306123514.386434-1-nicolas.bouchinet@clip-os.org>
Date: Thu,  6 Mar 2025 13:35:07 +0100
From: nicolas.bouchinet@...p-os.org
To: coda@...cmu.edu,
	linux-kernel@...r.kernel.org,
	codalist@...a.cs.cmu.edu,
	linux-nfs@...r.kernel.org
Cc: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>,
	Joel Granados <j.granados@...sung.com>,
	Clemens Ladisch <clemens@...isch.de>,
	Arnd Bergmann <arnd@...db.de>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jan Harkes <jaharkes@...cmu.edu>,
	Trond Myklebust <trondmy@...nel.org>,
	Anna Schumaker <anna@...nel.org>
Subject: [PATCH v3 0/3] Fixes multiple sysctl bound checks

From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>

Hi,

This patchset adds some bound checks to sysctls to avoid negative
value writes.

The patched sysctls were storing the result of the proc_dointvec
proc_handler into an unsigned int data. proc_dointvec being able to
parse negative value, and it return value being a signed int, this could
lead to undefined behaviors.
This has led to kernel crash in the past as described in commit
3b3376f222e3 ("sysctl.c: fix underflow value setting risk in vm_table")

They are now bounded between SYSCTL_ZERO and SYSCTL_INT_MAX.
The proc_handlers have thus been updated to proc_dointvec_minmax.

This patchset has been written over sysctl-testing branch [1].
See [2] for similar sysctl fixes currently in review.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl.git/log/?h=sysctl-testing
[2]: https://lore.kernel.org/all/20250115132211.25400-1-nicolas.bouchinet@clip-os.org/

Best regards,

Nicolas

---

Changes since v2:
https://lore.kernel.org/all/20250224095826.16458-1-nicolas.bouchinet@clip-os.org/

* Detached patches 2/6, 4/6 and 5/6
* Changed coda_timeout type from unsigned long to unsigned int as
  suggested by Joel Granados and Jan Harkes.

Changes since v1:
https://lore.kernel.org/all/20250127142014.37834-1-nicolas.bouchinet@clip-os.org/

* Detached patches 1/9, 2/9 [3] and 3/9 [4]
* Adapted the cover-letter message to match the reduced patchset

[3]: https://lore.kernel.org/all/20250129170633.88574-1-nicolas.bouchinet@clip-os.org/
[4]: https://lore.kernel.org/all/20250128103821.29745-1-nicolas.bouchinet@clip-os.org/

---

Nicolas Bouchinet (3):
  sysctl: Fixes idmap_cache_timeout bounds
  sysctl/coda: Fixes timeout bounds
  sysctl: Fixes max-user-freq bounds

 drivers/char/hpet.c | 4 +++-
 fs/coda/coda_int.h  | 2 +-
 fs/coda/sysctl.c    | 4 +++-
 fs/nfs/nfs4sysctl.c | 4 +++-
 4 files changed, 10 insertions(+), 4 deletions(-)

-- 
2.48.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ