Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 20 Nov 2013 09:44:14 +0100
From: Daniel Borkmann <dborkman@...hat.com>
To: oss-security@...ts.openwall.com
CC: P J P <ppandit@...hat.com>, Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE requests for three Linux kernel issues

On 11/20/2013 07:49 AM, P J P wrote:
>    Hello Moritz,
>
> +-- On Tue, 19 Nov 2013, Petr Matousek wrote --+
> | non-issues. Prasad (CC'ed) can provide reasons why.
> | > XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption
> | >   http://seclists.org/fulldisclosure/2013/Nov/139
>
>     Here, integer overflow does not occur because 'fprog->len' is of type
> 'unsigned short' and sizeof(struct sock_filter) = 8 bytes.
>
>     unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
>                        = 8 * 65535(0xffff)
>                        = 524280 => 0x0007fff8
>
> ===
>      // XXX Integer overflow (+ sizeof(*fp)) and causing a little allocation.
>      fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
> ===
>
> Adding few more bytes 'sizeof(*fp)' to 'fsize' above is unlikely to overflow
> an unsigned int.

Agreed, it's somewhat stupid though that we only check for that later on after
allocation in sk_chk_filter():

if (flen == 0 || flen > BPF_MAXINSNS)
	return -EINVAL;

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.