[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE requests for three Linux kernel issues
From:       Daniel Borkmann <dborkman () redhat ! com>
Date:       2013-11-20 8:44:14
Message-ID: 528C765E.3020500 () redhat ! com
[Download RAW message or body]

On 11/20/2013 07:49 AM, P J P wrote:
>    Hello Moritz,
>
> +-- On Tue, 19 Nov 2013, Petr Matousek wrote --+
> | non-issues. Prasad (CC'ed) can provide reasons why.
> | > XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption
> | >   http://seclists.org/fulldisclosure/2013/Nov/139
>
>     Here, integer overflow does not occur because 'fprog->len' is of type
> 'unsigned short' and sizeof(struct sock_filter) = 8 bytes.
>
>     unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
>                        = 8 * 65535(0xffff)
>                        = 524280 => 0x0007fff8
>
> ===
>      // XXX Integer overflow (+ sizeof(*fp)) and causing a little allocation.
>      fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
> ===
>
> Adding few more bytes 'sizeof(*fp)' to 'fsize' above is unlikely to overflow
> an unsigned int.

Agreed, it's somewhat stupid though that we only check for that later on after
allocation in sk_chk_filter():

if (flen == 0 || flen > BPF_MAXINSNS)
	return -EINVAL;
[prev in list] [next in list] [prev in thread] [next in thread]