| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Oct 2018 09:23:19 -0700
From: Joe Perches <joe@...ches.com>
To: Willy Tarreau <w@....eu>, Wang Hai <wanghaifine@...il.com>
Cc: edumazet@...gle.com, davem@...emloft.net, kuznet@....inr.ac.ru,
yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Change judgment len position
On Wed, 2018-10-24 at 17:57 +0200, Willy Tarreau wrote:
> On Wed, Oct 24, 2018 at 11:47:29PM +0800, Wang Hai wrote:
> > To determine whether len is less than zero, it should be put before
> > the function min_t, because the return value of min_t is not likely
> > to be less than zero.
>
> Huh? First, the <0 test is made on "len", not "min_t", so it still
> is signed. Second, you're in fact completely removing the test here,
> look :
>
> > struct net *net = sock_net(sk);
> > int val, len;
> >
> > + len = min_t(unsigned int, len, sizeof(int));
> > +
>
> len is used uninitialized here, so the result is undefined.
>
> > if (get_user(len, optlen))
> > return -EFAULT;
>
> Then it gets overridden by get_user()
>
> > - len = min_t(unsigned int, len, sizeof(int));
> > -
>
> Then its positive values are not bounded anymore since you moved the test.
Not quite.
Problem here is negative values are tested as
large positive values and limited to 4
ie:
ien len = -1,
len = min_t(unsigned int, len, sizeof(int));
len is now 4
> > if (len < 0)
> > return -EINVAL;
So this test len < 0 could be moved up above min_t
> Then only negative values are dropped. So unless I'm missing something
> obvious, you're just allowing len to be as large as 2GB-1 based on the
> user's fed optlen.
>
> Am I wrong ?
>
> Willychee
Powered by blists - more mailing lists