| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250502134058.0f3e79cc@pumpkin> Date: Fri, 2 May 2025 13:40:58 +0100 From: David Laight <david.laight.linux@...il.com> To: Jann Horn <jannh@...gle.com> Cc: Jens Wiklander <jens.wiklander@...aro.org>, Sumit Garg <sumit.garg@...nel.org>, op-tee@...ts.trustedfirmware.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] tee: Prevent size calculation wraparound on 32-bit kernels On Fri, 2 May 2025 14:28:21 +0200 Jann Horn <jannh@...gle.com> wrote: > On Thu, May 1, 2025 at 10:02 PM David Laight > <david.laight.linux@...il.com> wrote: > > > > On Mon, 28 Apr 2025 15:06:43 +0200 > > Jann Horn <jannh@...gle.com> wrote: > > > > > The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on > > > 32-bit kernels: Multiplying a user-provided 32-bit value with the > > > size of a structure can wrap around on such platforms. > > > > > > Fix it by using saturating arithmetic for the size calculation. > > > > Why not just add a sanity check on 'num_params' after it is read. > > Max is 31 (1024-32)/32), but any sane limit will do because of > > the buf.buf_len test. > > That would work, too. I don't know which way looks nicer. The saturating arithmetic functions are non-obvious and non-trivial. I looked at the code to check where buf.buf_len came from, without its sanity check the user could craft a request where it matched the saturated size. I think I'd sanity check the number of items and then check that that buffer length is right for the number of items. David
Powered by blists - more mailing lists