| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <967DC2CE-588D-4207-BF2D-59727454DC2E@oracle.com> Date: Tue, 10 Nov 2009 18:38:05 -0500 From: Chuck Lever <chuck.lever@...cle.com> To: argp@...sus-labs.com Cc: bugzilla-daemon@...zilla.kernel.org, bugme-daemon@...zilla.kernel.org, Linux Network Developers <netdev@...r.kernel.org>, "J. Bruce Fields" <bfields@...ldses.org>, Trond Myklebust <trond.myklebust@....uio.no>, Neil Brown <neilb@...e.de>, Andrew Morton <akpm@...ux-foundation.org>, Linux NFS Mailing list <linux-nfs@...r.kernel.org> Subject: Re: [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c On Nov 10, 2009, at 6:29 PM, Andrew Morton wrote: > > (switched to email. Please respond via emailed reply-to-all, not > via the > bugzilla web interface). > > On Thu, 5 Nov 2009 10:31:03 GMT > bugzilla-daemon@...zilla.kernel.org wrote: > >> http://bugzilla.kernel.org/show_bug.cgi?id=14546 >> >> Summary: Off-by-two stack buffer overflow in function >> rpc_uaddr2sockaddr() of net/sunrpc/addr.c >> Product: Networking >> Version: 2.5 >> Kernel Version: 2.6.32-rc6 >> Platform: All >> OS/Version: Linux >> Tree: Mainline >> Status: NEW >> Severity: normal >> Priority: P1 >> Component: Other >> AssignedTo: acme@...stprotocols.net >> ReportedBy: argp@...sus-labs.com >> CC: argp@...sus-labs.com >> Regression: No >> >> >> There is an off-by-two stack buffer overflow in function >> rpc_uaddr2sockaddr() >> of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation. >> >> The function rpc_uaddr2sockaddr() that is used to convert a >> universal address >> to a socket address takes as an argument the size_t variable >> uaddr_len (the >> length of the universal address string). The stack buffer buf is >> declared in >> line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument >> uaddr_len is >> equal to RPCBIND_MAXUADDRLEN then the check at line 319 passes and >> then at >> lines 324 and 325 there are two out-of-bounds assignments: >> >> 319 if (uaddr_len > sizeof(buf)) >> 320 return 0; >> ... >> 324 buf[uaddr_len] = '\n'; >> 325 buf[uaddr_len + 1] = '\0'; >> >> To fix it please see the attached patch. >> > > Please don't submit patches via bugzilla. > > Please prepare this patch as per Documentation/SubmittingPatches and > email it to all the recipients of this email, thanks. > > --- ./net/sunrpc/addr.c.orig 2009-11-05 11:55:45.000000000 +0200 > +++ ./net/sunrpc/addr.c 2009-11-05 12:09:34.000000000 +0200 > @@ -316,7 +316,7 @@ > unsigned long portlo, porthi; > unsigned short port; > > - if (uaddr_len > sizeof(buf)) > + if (uaddr_len > sizeof(buf) - 2) > return 0; Why wouldn't you bump the size of the buffer by two as well? Otherwise valid universal addresses that are RPCBIND_MAXUADDRLEN bytes long will fail here. > memcpy(buf, uaddr, uaddr_len); -- Chuck Lever chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists