From: Greg KH <gregkh@linuxfoundation.org>
To: sohu0106 <sohu0106@126.com>
Cc: tsbogend@alpha.franken.de, linux-mips@vger.kernel.org,
security@kernel.org
Subject: Re: buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c
Date: Thu, 14 Jul 2022 15:31:04 +0200 [thread overview]
Message-ID: <YtAamKIXPQ1aNJx9@kroah.com> (raw)
In-Reply-To: <71b5d25.71d1.181fcd701cf.Coremail.sohu0106@126.com>
On Thu, Jul 14, 2022 at 09:12:38PM +0800, sohu0106 wrote:
>
> In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)".
>
>
> diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c
> index d0d832a..bd1f826 100644
> --- a/arch/mips/kernel/vpe.c_org
> +++ b/arch/mips/kernel/vpe.c
> @@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer,
> if (v == NULL)
> return -ENODEV;
>
> - if ((count + v->len) > v->plen) {
> + if ((count + v->len) > v->plen || count + v->len > v->len) {
> pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n");
> return -ENOMEM;
> }
>
Note, there is no need to cc: security@k.o when you also cc: public
mailing lists, as the developers there should handle the issue.
Also, your patch is corrupted with whitespace turned into spaces, making
it impossible to apply, and you forgot a signed-off-by line. Try
running scripts/checkpatch.pl on your patches before sending them out,
that will catch things like this.
thanks,
greg k-h
next prev parent reply other threads:[~2022-07-14 14:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-14 13:12 buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c sohu0106
2022-07-14 13:31 ` Greg KH [this message]
2022-07-14 13:42 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtAamKIXPQ1aNJx9@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-mips@vger.kernel.org \
--cc=security@kernel.org \
--cc=sohu0106@126.com \
--cc=tsbogend@alpha.franken.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.