From: Jiri Bohac <jbohac@suse.cz>
To: cve@kernel.org, linux-kernel@vger.kernel.org
Cc: linux-cve-announce@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Eric Biederman <ebiederm@xmission.com>,
kexec@lists.infradead.org
Subject: Re: CVE-2023-52823: kernel: kexec: copy user-array safely
Date: Fri, 24 May 2024 12:02:10 +0200 [thread overview]
Message-ID: <ZlBlorsBMPK0RdnR@dwarf.suse.cz> (raw)
In-Reply-To: <2024052106-CVE-2023-52823-3d81@gregkh>
On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote:
> kernel: kexec: copy user-array safely
>
> Currently, there is no overflow-check with memdup_user().
This is false.
Therefore, I'd like to dispute this CVE.
The overflow check is in the kexec_load_check()
function called shortly before the memdup_user() call:
SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
struct kexec_segment __user *, segments, unsigned long, flags)
{
result = kexec_load_check(nr_segments, flags);
if (result)
return result;
...
ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
...
}
#define KEXEC_SEGMENT_MAX 16
static inline int kexec_load_check(unsigned long nr_segments,
unsigned long flags)
{
...
if (nr_segments > KEXEC_SEGMENT_MAX)
return -EINVAL;
}
Thanks,
--
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, Prague, Czechia
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next parent reply other threads:[~2024-05-24 10:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024052106-CVE-2023-52823-3d81@gregkh>
2024-05-24 10:02 ` Jiri Bohac [this message]
2024-05-24 10:15 ` CVE-2023-52823: kernel: kexec: copy user-array safely Greg Kroah-Hartman
2024-05-24 12:38 ` Jiri Bohac
2024-05-24 14:13 ` Jiri Bohac
2024-05-24 15:27 ` Greg Kroah-Hartman
2024-05-24 15:26 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZlBlorsBMPK0RdnR@dwarf.suse.cz \
--to=jbohac@suse.cz \
--cc=cve@kernel.org \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=kexec@lists.infradead.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox