lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50F93D78.5010903@imap.cc>
Date:	Fri, 18 Jan 2013 13:18:00 +0100
From:	Tilman Schmidt <tilman@...p.cc>
To:	Dan Carpenter <dan.carpenter@...cle.com>
CC:	Hansjoerg Lipp <hjlipp@....de>, Karsten Keil <isdn@...ux-pingi.de>,
	gigaset307x-common@...ts.sourceforge.net, netdev@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch] isdn/gigaset: off by one check leading to oops

Hi Dan,

Am 17.01.2013 08:44, schrieb Dan Carpenter:
> If l == 12 then later we subtract 12 leaving zero.  We do a zero size
> allocation, so "dbgline" points to the ZERO_SIZE_PTR.  It leads to an
> oops when we set the NUL terminator:
> 	dbgline[3 * l - 1] = '\0';

thanks for finding that bug, but NAK to your fix.

> @@ -239,7 +239,7 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
>  		return;
>  
>  	l = CAPIMSG_LEN(data);
> -	if (l < 12) {
> +	if (l <= 12) {
>  		gig_dbg(level, "%s: ??? LEN=%04d", tag, l);
>  		return;
>  	}

CAPI messages of exactly 12 bytes are legal, and should be decoded
with the regular gig_dbg() call immediately after that hunk. It's
just the hex dump part that should be skipped in that case.
So I'd prefer to have it fixed this way instead:

@@ -248,6 +248,8 @@ static inline void dump_rawmsg(enum debuglevel
level, const char *tag,
                CAPIMSG_APPID(data), CAPIMSG_MSGID(data), l,
                CAPIMSG_CONTROL(data));
        l -= 12;
+       if (l <= 0)
+               return;
        dbgline = kmalloc(3 * l, GFP_ATOMIC);
        if (!dbgline)
                return;

I'll prepare a patch of my own, citing you as reporter, if that's
ok with you.

Thanks,
Tilman

-- 
Tilman Schmidt                    E-Mail: tilman@...p.cc
Bonn, Germany
Diese Nachricht besteht zu 100% aus wiederverwerteten Bits.
Ungeöffnet mindestens haltbar bis: (siehe Rückseite)




Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ