oss-sec mailing list archives
Re: CVE requests for three Linux kernel issues
From: Daniel Borkmann <dborkman () redhat com>
Date: Wed, 20 Nov 2013 09:44:14 +0100
On 11/20/2013 07:49 AM, P J P wrote:
Hello Moritz, +-- On Tue, 19 Nov 2013, Petr Matousek wrote --+ | non-issues. Prasad (CC'ed) can provide reasons why. | > XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption | > http://seclists.org/fulldisclosure/2013/Nov/139 Here, integer overflow does not occur because 'fprog->len' is of type 'unsigned short' and sizeof(struct sock_filter) = 8 bytes. unsigned int fsize = sizeof(struct sock_filter) * fprog->len; = 8 * 65535(0xffff) = 524280 => 0x0007fff8 === // XXX Integer overflow (+ sizeof(*fp)) and causing a little allocation. fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL); === Adding few more bytes 'sizeof(*fp)' to 'fsize' above is unlikely to overflow an unsigned int.
Agreed, it's somewhat stupid though that we only check for that later on after allocation in sk_chk_filter(): if (flen == 0 || flen > BPF_MAXINSNS) return -EINVAL;
Current thread:
- CVE requests for three Linux kernel issues Moritz Muehlenhoff (Nov 19)
- Re: CVE requests for three Linux kernel issues Petr Matousek (Nov 19)
- Re: CVE requests for three Linux kernel issues P J P (Nov 19)
- Re: CVE requests for three Linux kernel issues Daniel Borkmann (Nov 20)
- Re: CVE requests for three Linux kernel issues P J P (Nov 19)
- Re: CVE requests for three Linux kernel issues Petr Matousek (Nov 19)