[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE requests for three Linux kernel issues
From: Daniel Borkmann <dborkman () redhat ! com>
Date: 2013-11-20 8:44:14
Message-ID: 528C765E.3020500 () redhat ! com
[Download RAW message or body]
On 11/20/2013 07:49 AM, P J P wrote:
> Hello Moritz,
>
> +-- On Tue, 19 Nov 2013, Petr Matousek wrote --+
> | non-issues. Prasad (CC'ed) can provide reasons why.
> | > XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption
> | > http://seclists.org/fulldisclosure/2013/Nov/139
>
> Here, integer overflow does not occur because 'fprog->len' is of type
> 'unsigned short' and sizeof(struct sock_filter) = 8 bytes.
>
> unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
> = 8 * 65535(0xffff)
> = 524280 => 0x0007fff8
>
> ===
> // XXX Integer overflow (+ sizeof(*fp)) and causing a little allocation.
> fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
> ===
>
> Adding few more bytes 'sizeof(*fp)' to 'fsize' above is unlikely to overflow
> an unsigned int.
Agreed, it's somewhat stupid though that we only check for that later on after
allocation in sk_chk_filter():
if (flen == 0 || flen > BPF_MAXINSNS)
return -EINVAL;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic