* buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c
@ 2022-07-14 13:12 sohu0106
2022-07-14 13:31 ` Greg KH
2022-07-14 13:42 ` Dan Carpenter
0 siblings, 2 replies; 3+ messages in thread
From: sohu0106 @ 2022-07-14 13:12 UTC (permalink / raw)
To: tsbogend; +Cc: linux-mips, security
In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)".
diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c
index d0d832a..bd1f826 100644
--- a/arch/mips/kernel/vpe.c_org
+++ b/arch/mips/kernel/vpe.c
@@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer,
if (v == NULL)
return -ENODEV;
- if ((count + v->len) > v->plen) {
+ if ((count + v->len) > v->plen || count + v->len > v->len) {
pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n");
return -ENOMEM;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c
2022-07-14 13:12 buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c sohu0106
@ 2022-07-14 13:31 ` Greg KH
2022-07-14 13:42 ` Dan Carpenter
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2022-07-14 13:31 UTC (permalink / raw)
To: sohu0106; +Cc: tsbogend, linux-mips, security
On Thu, Jul 14, 2022 at 09:12:38PM +0800, sohu0106 wrote:
>
> In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)".
>
>
> diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c
> index d0d832a..bd1f826 100644
> --- a/arch/mips/kernel/vpe.c_org
> +++ b/arch/mips/kernel/vpe.c
> @@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer,
> if (v == NULL)
> return -ENODEV;
>
> - if ((count + v->len) > v->plen) {
> + if ((count + v->len) > v->plen || count + v->len > v->len) {
> pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n");
> return -ENOMEM;
> }
>
Note, there is no need to cc: security@k.o when you also cc: public
mailing lists, as the developers there should handle the issue.
Also, your patch is corrupted with whitespace turned into spaces, making
it impossible to apply, and you forgot a signed-off-by line. Try
running scripts/checkpatch.pl on your patches before sending them out,
that will catch things like this.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c
2022-07-14 13:12 buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c sohu0106
2022-07-14 13:31 ` Greg KH
@ 2022-07-14 13:42 ` Dan Carpenter
1 sibling, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2022-07-14 13:42 UTC (permalink / raw)
To: sohu0106; +Cc: tsbogend, linux-mips, security
On Thu, Jul 14, 2022 at 09:12:38PM +0800, sohu0106 wrote:
>
> In the vpe_write function of arch/mips/kernel/vpe.c, parameter "size_t count" is pass by userland, if "count" is very large, it will bypass the check of "if ((count + v->len) > v->plen)".(such as count=0xffffffffffffffff). Then it will lead to buffer overflow in "copy_from_user(v->pbuffer + v->len, buffer, count)".
>
>
> diff --git a/arch/mips/kernel/vpe.c_org b/arch/mips/kernel/vpe.c
> index d0d832a..bd1f826 100644
> --- a/arch/mips/kernel/vpe.c_org
> +++ b/arch/mips/kernel/vpe.c
> @@ -871,7 +871,7 @@ static ssize_t vpe_write(struct file *file, co nst char __user *buffer,
> if (v == NULL)
> return -ENODEV;
>
> - if ((count + v->len) > v->plen) {
> + if ((count + v->len) > v->plen || count + v->len > v->len) {
This integer overflow check is wrong. It should be < instead of >.
Also do the integer overflow check first before the other check. I
would normally write it like so:
if (count > ULONG_MAX - v->len ||
count + v->len > v->plen) {
pr_warn("VPE loader: elf size too big. Perhaps str ip unneeded symbols\n");
return -ENOMEM;
}
There are some other mechanical issues with the patch.
1) It needs a subsystem prefix:
Subject: [PATCH] MIPS: vpe: fix integer overflow in vpe_write()
2) The commit description needs to be line wrapped at 75 characters
(Run scripts/checkpatch.pl on your path).
3) We need a Signed-off-by line.
4) The patch cannot apply. Use `git diff /arch/mips/kernel/vpe.c` to
generate the patch. (There are other ways to generate patches. Read
Documentation/process/submitting-patches.rst or google for how to send
a first kernel patch).
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-07-14 14:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-14 13:12 buffer overflow in vpe_write() function of arch/mips/kernel/vpe.c sohu0106
2022-07-14 13:31 ` Greg KH
2022-07-14 13:42 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).