From: Dan Carpenter <dan.carpenter@oracle.com>
To: sohu0106 <sohu0106@126.com>
Cc: tsbogend@alpha.franken.de, linux-mips@vger.kernel.org,
security@kernel.org
Subject: Re: buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c
Date: Thu, 14 Jul 2022 16:42:54 +0300 [thread overview]
Message-ID: <20220714134254.GS2316@kadam> (raw)
In-Reply-To: <71b5d25.71d1.181fcd701cf.Coremail.sohu0106@126.com>
On Thu, Jul 14, 2022 at 09:12:38PM +0800, sohu0106 wrote:
>
> In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)".
>
>
> diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c
> index d0d832a..bd1f826 100644
> --- a/arch/mips/kernel/vpe.c_org
> +++ b/arch/mips/kernel/vpe.c
> @@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer,
> if (v == NULL)
> return -ENODEV;
>
> - if ((count + v->len) > v->plen) {
> + if ((count + v->len) > v->plen || count + v->len > v->len) {
This integer overflow check is wrong. It should be < instead of >.
Also do the integer overflow check first before the other check. I
would normally write it like so:
if (count > ULONG_MAX - v->len ||
count + v->len > v->plen) {
pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n");
return -ENOMEM;
}
There are some other mechanical issues with the patch.
1) It needs a subsystem prefix:
Subject: [PATCH] MIPS: vpe: fix integer overflow in vpe_write()
2) The commit description needs to be line wrapped at 75 characters
(Run scripts/checkpatch.pl on your path).
3) We need a Signed-off-by line.
4) The patch cannot apply. Use `git diff /arch/mips/kernel/vpe.c` to
generate the patch. (There are other ways to generate patches. Read
Documentation/process/submitting-patches.rst or google for how to send
a first kernel patch).
regards,
dan carpenter
prev parent reply other threads:[~2022-07-14 13:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-14 13:12 buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c sohu0106
2022-07-14 13:31 ` Greg KH
2022-07-14 13:42 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220714134254.GS2316@kadam \
--to=dan.carpenter@oracle.com \
--cc=linux-mips@vger.kernel.org \
--cc=security@kernel.org \
--cc=sohu0106@126.com \
--cc=tsbogend@alpha.franken.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.