Full Disclosure mailing list archives
Re: grsecurity 2.1.0 release / 5 Linux kernel advisories
From: Marcus Meissner <meissner () suse de>
Date: Wed, 19 Jan 2005 11:34:03 +0100
On Fri, Jan 07, 2005 at 01:18:53PM -0500, Brad Spengler wrote:
Let's try this again, since web archives don't like multipart attachments. grsecurity 2.1.0 release / Linux Kernel advisories -------------------------------------------------------------------- Table Of Contents:
...
4) 2.6 scsi ioctl integer overflow and information leak
4) 2.6 scsi ioctl integer overflow and information leak In drivers/block/scsi_ioctl.c: at sg_scsi_ioctl():struct request *rq; int err, in_len, out_len, bytes, opcode, cmdlen;^ in_len, out_len are signed intchar *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE]; /* * get in an out lengths, verify they don't exceed a page worth of data */ if (get_user(in_len, &sic->inlen))^ in_len is user-controlledreturn -EFAULT; if (get_user(out_len, &sic->outlen))^ out_len is user-controlledreturn -EFAULT; if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)^ signed int only has upper bound checkedreturn -EINVAL;
Well spotted. I actually spent 30 minutes unsuccessfully trying to get my kernel to crash with this before a C guru here explained it to me. The C compiler actually rises to the rescue and safes the kernel. "A comparison will always be evaluated in the largest integer context available." (or so) PAGE_SIZE is defined as (1UL << PAGE_SHIFT) for all architectures on 2.6 kernels. signed int has 31bits, unsigned long has either 32 or 64 bit. So this expression will always be evaluated in unsigned long mode. In this case the signed int is not converted, but the binary representation is used, -1 would be in this case 0xffffffff. => No problem. Ciao, Marcus
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- grsecurity 2.1.0 release / 5 Linux kernel advisories Brad Spengler (Jan 07)
- Re: grsecurity 2.1.0 release / 5 Linux kernel advisories Greg Ahmad (Jan 07)
- Re: grsecurity 2.1.0 release / 5 Linux kernel advisories Marcus Meissner (Jan 19)