lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Feb 2015 15:40:46 -0500 From: "J. Bruce Fields" <bfields@...ldses.org> To: Simo Sorce <simo@...hat.com> Cc: Dan Carpenter <dan.carpenter@...cle.com>, Trond Myklebust <trond.myklebust@...marydata.com>, Anna Schumaker <anna.schumaker@...app.com>, "David S. Miller" <davem@...emloft.net>, Jeff Layton <jlayton@...marydata.com>, Kinglong Mee <kinglongmee@...il.com>, linux-nfs@...r.kernel.org, netdev@...r.kernel.org, "Eric W. Biederman" <ebiederm@...ssion.com>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...capital.net>, Wang YanQing <udknight@...il.com>, linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: Re: [patch v2] sunrpc: integer underflow in rsc_parse() On Tue, Feb 24, 2015 at 10:54:44PM -0500, Simo Sorce wrote: > On Tue, 2015-02-24 at 18:34 +0300, Dan Carpenter wrote: > > If we call groups_alloc() with invalid values then it's might lead to > > memory corruption. For example, with a negative value then we might not > > allocate enough for sizeof(struct group_info). > > > > Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> > > --- > > v2: In v1, I changed groups_alloc(). The other places which call > > groups_alloc() check the value before calling. Eric wanted that, either > > have all the callers check, or all the callers rely on groups_alloc(). > > In the end, Bruce Fields said adding the check here was probably > > reasonable. > > > > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c > > index 224a82f..1095be9 100644 > > --- a/net/sunrpc/auth_gss/svcauth_gss.c > > +++ b/net/sunrpc/auth_gss/svcauth_gss.c > > @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, > > /* number of additional gid's */ > > if (get_int(&mesg, &N)) > > goto out; > > + if (N < 0 || N > NGROUPS_MAX) > > + goto out; > > status = -ENOMEM; > > rsci.cred.cr_group_info = groups_alloc(N); > > if (rsci.cred.cr_group_info == NULL) > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > the body of a message to majordomo@...r.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > I touched this code relatively recently, and this check looks correct. > Feel free to add Reviewed-by: Simo Sorce <simo@...hat.com> Thanks! I thought your below-the-line context was useful, so pulled a version of it into the commit. --b. commit 76cb4be993c0 Author: Dan Carpenter <dan.carpenter@...cle.com> Date: Tue Feb 24 18:34:01 2015 +0300 sunrpc: integer underflow in rsc_parse() If we call groups_alloc() with invalid values then it's might lead to memory corruption. For example, with a negative value then we might not allocate enough for sizeof(struct group_info). (We're doing this in the caller for consistency with other callers of groups_alloc(). The other alternative might be to move the check out of all the callers into groups_alloc().) Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> Reviewed-by: Simo Sorce <simo@...hat.com> Signed-off-by: J. Bruce Fields <bfields@...hat.com> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 224a82f24d3c..1095be9c80ab 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, /* number of additional gid's */ if (get_int(&mesg, &N)) goto out; + if (N < 0 || N > NGROUPS_MAX) + goto out; status = -ENOMEM; rsci.cred.cr_group_info = groups_alloc(N); if (rsci.cred.cr_group_info == NULL) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists