Date: Mon, 4 Jun 2012 12:04:35 -0400 From: Xi Wang <xi.wang@...il.com> To: Petr Matousek <pmatouse@...hat.com> Cc: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>, akuster <akuster@...sta.com>, "Steven M. Christey" <coley@...us.mitre.org>, vuln@...unia.com Subject: Re: fix to CVE-2009-4307 On Apr 11, 2012, at 7:07 AM, Petr Matousek wrote: > > On Wed, Apr 04, 2012 at 12:19:43AM -0400, Xi Wang wrote: >> >> >> BTW, the second commit (d50f2ab6) might still allow a buffer overflow >> later. See another patch https://lkml.org/lkml/2012/2/20/422 (though >> it was rejected). >> >> In ext4_resize_fs(): >> >> flexbg_size = 1 << es->s_log_groups_per_flex; >> ... >> flex_gd = alloc_flex_gd(flexbg_size); >> >> and in alloc_flex_gd(): >> >> flex_gd->count = flexbg_size; >> flex_gd->groups = kmalloc(sizeof(...) * flexbg_size, ...); >> >> Note that the kmalloc size could be smaller than expected due to >> multiplication overflow (flexbg_size = 1 << s_log_groups_per_flex >> could be very large since s_log_groups_per_flex could be as large >> as 31). Array access flex_gd groups[i] could be out of bounds in >> that case. > > As Xi points out, there might be other problems in the code. Those > should get a separate CVE without referencing CVE-2009-4307 IMHO. Update: the issue was fixed upstream. http://git.kernel.org/linus/967ac8af4475ce45474800709b12137aa7634c77 - xi
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.