oss-sec mailing list archives

Re: fix to CVE-2009-4307

From: Xi Wang <xi.wang () gmail com>
Date: Mon, 4 Jun 2012 12:04:35 -0400

On Apr 11, 2012, at 7:07 AM, Petr Matousek wrote:


On Wed, Apr 04, 2012 at 12:19:43AM -0400, Xi Wang wrote:



BTW, the second commit (d50f2ab6) might still allow a buffer overflow
later.  See another patch https://lkml.org/lkml/2012/2/20/422 (though
it was rejected).

In ext4_resize_fs():

  flexbg_size = 1 << es->s_log_groups_per_flex;
  ...
  flex_gd = alloc_flex_gd(flexbg_size);

and in alloc_flex_gd():

  flex_gd->count = flexbg_size;
  flex_gd->groups = kmalloc(sizeof(...) * flexbg_size, ...);

Note that the kmalloc size could be smaller than expected due to
multiplication overflow (flexbg_size = 1 << s_log_groups_per_flex
could be very large since s_log_groups_per_flex could be as large
as 31).  Array access flex_gd groups[i] could be out of bounds in
that case.


As Xi points out, there might be other problems in the code. Those
should get a separate CVE without referencing CVE-2009-4307 IMHO.


Update: the issue was fixed upstream.

http://git.kernel.org/linus/967ac8af4475ce45474800709b12137aa7634c77

- xi

Current thread:

fix to CVE-2009-4307 akuster (Apr 03)
- Re: fix to CVE-2009-4307 Kurt Seifried (Apr 03)
  - Re: fix to CVE-2009-4307 Xi Wang (Apr 03)
    - Re: fix to CVE-2009-4307 Petr Matousek (Apr 11)
    - Re: fix to CVE-2009-4307 Xi Wang (Apr 11)
    - Re: fix to CVE-2009-4307 Xi Wang (Jun 04)
  - Re: fix to CVE-2009-4307 akuster (Apr 04)
  - Re: fix to CVE-2009-4307 Kurt Seifried (Apr 12)