| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iJY4=Q0edL-mf2JrRiz8Ld7bQcogOrc4ozLEVD8qz8o2A@mail.gmail.com> Date: Mon, 4 Sep 2023 11:06:17 +0200 From: Eric Dumazet <edumazet@...gle.com> To: David Laight <David.Laight@...lab.com> Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "eric.dumazet@...il.com" <eric.dumazet@...il.com>, syzbot <syzkaller@...glegroups.com>, Kyle Zeng <zengyhkyle@...il.com>, Kees Cook <keescook@...omium.org>, Vlastimil Babka <vbabka@...e.cz> Subject: Re: [PATCH net] net: deal with integer overflows in kmalloc_reserve() On Mon, Sep 4, 2023 at 10:41 AM David Laight <David.Laight@...lab.com> wrote: > > From: Eric Dumazet > > Sent: 31 August 2023 19:38 > > > > Blamed commit changed: > > ptr = kmalloc(size); > > if (ptr) > > size = ksize(ptr); > > > > to: > > size = kmalloc_size_roundup(size); > > ptr = kmalloc(size); > > > > This allowed various crash as reported by syzbot [1] > > and Kyle Zeng. > > > > Problem is that if @size is bigger than 0x80000001, > > kmalloc_size_roundup(size) returns 2^32. > > > > kmalloc_reserve() uses a 32bit variable (obj_size), > > so 2^32 is truncated to 0. > > Can this happen on 32bit arch? > In that case kmalloc_size_roundup() will return 0. Maybe, but this would be a bug in kmalloc_size_roundup() I personally can not test 32bit kernels.
Powered by blists - more mailing lists