oss-sec mailing list archives
Re: fix to CVE-2009-4307
From: Xi Wang <xi.wang () gmail com>
Date: Mon, 4 Jun 2012 12:04:35 -0400
On Apr 11, 2012, at 7:07 AM, Petr Matousek wrote:
On Wed, Apr 04, 2012 at 12:19:43AM -0400, Xi Wang wrote:BTW, the second commit (d50f2ab6) might still allow a buffer overflow later. See another patch https://lkml.org/lkml/2012/2/20/422 (though it was rejected). In ext4_resize_fs(): flexbg_size = 1 << es->s_log_groups_per_flex; ... flex_gd = alloc_flex_gd(flexbg_size); and in alloc_flex_gd(): flex_gd->count = flexbg_size; flex_gd->groups = kmalloc(sizeof(...) * flexbg_size, ...); Note that the kmalloc size could be smaller than expected due to multiplication overflow (flexbg_size = 1 << s_log_groups_per_flex could be very large since s_log_groups_per_flex could be as large as 31). Array access flex_gd groups[i] could be out of bounds in that case.As Xi points out, there might be other problems in the code. Those should get a separate CVE without referencing CVE-2009-4307 IMHO.
Update: the issue was fixed upstream. http://git.kernel.org/linus/967ac8af4475ce45474800709b12137aa7634c77 - xi
Current thread:
- fix to CVE-2009-4307 akuster (Apr 03)
- Re: fix to CVE-2009-4307 Kurt Seifried (Apr 03)
- Re: fix to CVE-2009-4307 Xi Wang (Apr 03)
- Re: fix to CVE-2009-4307 Petr Matousek (Apr 11)
- Re: fix to CVE-2009-4307 Xi Wang (Apr 11)
- Re: fix to CVE-2009-4307 Xi Wang (Jun 04)
- Re: fix to CVE-2009-4307 Xi Wang (Apr 03)
- Re: fix to CVE-2009-4307 akuster (Apr 04)
- Re: fix to CVE-2009-4307 Kurt Seifried (Apr 12)
- Re: fix to CVE-2009-4307 Kurt Seifried (Apr 03)