| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKpN-NuTets9EExp@kernel.org>
Date: Sun, 24 Aug 2025 02:25:44 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/7] lib: Fix a couple of potential signed oveflows
On Fri, Aug 22, 2025 at 03:22:08PM +0100, David Howells wrote:
> Fix keyctl_read_alloc() to check for a potential unsigned overflow when we
> allocate a buffer with an extra byte added on the end for a NUL.
>
> Fix keyctl_dh_compute_alloc() for the same thing.
>
> Signed-off-by: David Howells <dhowells@...hat.com>
> ---
> keyutils.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/keyutils.c b/keyutils.c
> index 37b6cc3..fd02cda 100644
> --- a/keyutils.c
> +++ b/keyutils.c
> @@ -18,6 +18,7 @@
> #include <dlfcn.h>
> #include <sys/uio.h>
> #include <errno.h>
> +#include <limits.h>
> #include <asm/unistd.h>
> #include "keyutils.h"
>
> @@ -442,6 +443,8 @@ int keyctl_read_alloc(key_serial_t id, void **_buffer)
> return -1;
>
> for (;;) {
> + if (ret == LONG_MAX)
> + return -EFBIG; /* Don't let buflen+1 overflow. */
> buflen = ret;
> buf = malloc(buflen + 1);
> if (!buf)
> @@ -515,6 +518,8 @@ int keyctl_dh_compute_alloc(key_serial_t priv, key_serial_t prime,
> if (ret < 0)
> return -1;
>
> + if (ret == LONG_MAX)
> + return -EFBIG; /* Don't let buflen+1 overflow. */
> buflen = ret;
> buf = malloc(buflen + 1);
> if (!buf)
>
Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
BR, Jarkko
Powered by blists - more mailing lists