Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Oct 2010 11:27:42 +0200
From: Thomas Pollet <thomas.pollet@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: kernel: avoid pgoff overflow in remap_file_pages

fwiw, this check :

if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))

is done to make sure the most significant bits are zero
pgoff is later used to create a page table entry

set_pte_at(mm, addr, pte, pgoff_to_pte(pgoff));

the other bits of the pte_t are reserved for the page status bits.
The exact implementation is architecture dependent.

Regards,
Thomas


On 12 October 2010 09:19, Eugene Teo <eugene@...hat.com> wrote:
> Thomas Pollet reported an integer overflow issue in remap_file_pages().
> While we are able to reproduce the issue, we are unable to find a security
> impact. If your views differ, do let us know.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=636383
> http://git.kernel.org/linus/5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06
>
> Thanks, Eugene
> --
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.