Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 4 Jun 2012 12:04:35 -0400
From: Xi Wang <xi.wang@...il.com>
To: Petr Matousek <pmatouse@...hat.com>
Cc: oss-security@...ts.openwall.com,
 Kurt Seifried <kseifried@...hat.com>,
 akuster <akuster@...sta.com>,
 "Steven M. Christey" <coley@...us.mitre.org>,
 vuln@...unia.com
Subject: Re: fix to CVE-2009-4307

On Apr 11, 2012, at 7:07 AM, Petr Matousek wrote:
> 
> On Wed, Apr 04, 2012 at 12:19:43AM -0400, Xi Wang wrote:
>> 
>> 
>> BTW, the second commit (d50f2ab6) might still allow a buffer overflow
>> later.  See another patch https://lkml.org/lkml/2012/2/20/422 (though
>> it was rejected).
>> 
>> In ext4_resize_fs():
>> 
>>   flexbg_size = 1 << es->s_log_groups_per_flex;
>>   ...
>>   flex_gd = alloc_flex_gd(flexbg_size);
>> 
>> and in alloc_flex_gd():
>> 
>>   flex_gd->count = flexbg_size;
>>   flex_gd->groups = kmalloc(sizeof(...) * flexbg_size, ...);
>> 
>> Note that the kmalloc size could be smaller than expected due to
>> multiplication overflow (flexbg_size = 1 << s_log_groups_per_flex
>> could be very large since s_log_groups_per_flex could be as large
>> as 31).  Array access flex_gd groups[i] could be out of bounds in
>> that case.
> 
> As Xi points out, there might be other problems in the code. Those
> should get a separate CVE without referencing CVE-2009-4307 IMHO.

Update: the issue was fixed upstream.

http://git.kernel.org/linus/967ac8af4475ce45474800709b12137aa7634c77

- xi

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.