[patch] groups: integer underflow in groups_alloc()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Wang YanQing <udknight@gmail.com>,
	linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] groups: integer underflow in groups_alloc()
Date: Mon, 23 Feb 2015 15:44:19 +0000	[thread overview]
Message-ID: <20150223154419.GA2542@mwanda> (raw)

This is called from rsc_parse() with a use controlled value.  Say for
example that "gidsetsize" is negative, then we could end up allocating
less than sizeof(struct group_info) leading to memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I copied the NGROUPS_MAX limit from the surrounding code, I'm not
absolutely that it's the correct limit to use.

diff --git a/kernel/groups.c b/kernel/groups.c
index 664411f..e9341b3 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -18,6 +18,9 @@ struct group_info *groups_alloc(int gidsetsize)
 	int nblocks;
 	int i;
 
+	if ((unsigned)gidsetsize > NGROUPS_MAX)
+		return NULL;
+
 	nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;
 	/* Make sure we always allocate at least one indirect block pointer */
 	nblocks = nblocks ? : 1;

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Wang YanQing <udknight@gmail.com>,
	linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] groups: integer underflow in groups_alloc()
Date: Mon, 23 Feb 2015 18:44:19 +0300	[thread overview]
Message-ID: <20150223154419.GA2542@mwanda> (raw)

This is called from rsc_parse() with a use controlled value.  Say for
example that "gidsetsize" is negative, then we could end up allocating
less than sizeof(struct group_info) leading to memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I copied the NGROUPS_MAX limit from the surrounding code, I'm not
absolutely that it's the correct limit to use.

diff --git a/kernel/groups.c b/kernel/groups.c
index 664411f..e9341b3 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -18,6 +18,9 @@ struct group_info *groups_alloc(int gidsetsize)
 	int nblocks;
 	int i;
 
+	if ((unsigned)gidsetsize > NGROUPS_MAX)
+		return NULL;
+
 	nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;
 	/* Make sure we always allocate at least one indirect block pointer */
 	nblocks = nblocks ? : 1;

next             reply	other threads:[~2015-02-23 15:44 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-23 15:44 Dan Carpenter [this message]
2015-02-23 15:44 ` [patch] groups: integer underflow in groups_alloc() Dan Carpenter
2015-02-23 17:10 ` Eric W. Biederman
2015-02-23 17:10   ` Eric W. Biederman
2015-02-23 18:03   ` Dan Carpenter
2015-02-23 18:03     ` Dan Carpenter
2015-02-23 18:46     ` Eric W. Biederman
2015-02-23 18:46       ` Eric W. Biederman
2015-02-23 21:16     ` J. Bruce Fields
2015-02-23 21:16       ` J. Bruce Fields
2015-02-24 15:34       ` [patch v2] sunrpc: integer underflow in rsc_parse() Dan Carpenter
2015-02-24 15:34         ` Dan Carpenter
2015-02-25  3:54         ` Simo Sorce
2015-02-25  3:54           ` Simo Sorce
2015-02-26 20:40           ` J. Bruce Fields
2015-02-26 20:40             ` J. Bruce Fields

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:664411f dfblob:e9341b3 dfblob:664411f dfblob:e9341b3 )
 OR (
bs:"[patch] groups: integer underflow in groups_alloc()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150223154419.GA2542@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=udknight@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.