public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays)
       [not found] <200506230502.j5N52PWP007955@hera.kernel.org>
@ 2005-06-23  5:48 ` Florian Weimer
  2005-06-23  9:53   ` Andreas Gruenbacher
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Weimer @ 2005-06-23  5:48 UTC (permalink / raw)
  To: Linux Kernel Mailing List
  Cc: Andreas Gruenbacher, Olaf Kirch, Trond Myklebust

* Linux Kernel Mailing List:

> +xdr_xcode_array2(struct xdr_buf *buf, unsigned int base,
> +		 struct xdr_array2_desc *desc, int encode)
> +{
> +	char *elem = NULL, *c;
> +	unsigned int copied = 0, todo, avail_here;
> +	struct page **ppages = NULL;
> +	int err;
> +
> +	if (encode) {
> +		if (xdr_encode_word(buf, base, desc->array_len) != 0)
> +			return -EINVAL;
> +	} else {
> +		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
> +		    (unsigned long) base + 4 + desc->array_len *
> +				    desc->elem_size > buf->len)
> +			return -EINVAL;
> +	}

This looks suspiciously like CVE-2002-0391.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays)
  2005-06-23  5:48 ` Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) Florian Weimer
@ 2005-06-23  9:53   ` Andreas Gruenbacher
  2005-06-23 10:45     ` Potential xdr_xcode_array2 security issue Florian Weimer
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Gruenbacher @ 2005-06-23  9:53 UTC (permalink / raw)
  To: Trond Myklebust; +Cc: Florian Weimer, Linux Kernel Mailing List, Olaf Kirch

[-- Attachment #1: Type: text/plain, Size: 166 bytes --]

On Thursday 23 June 2005 07:48, Florian Weimer wrote:
> This looks suspiciously like CVE-2002-0391.

Thanks, Florian. How about the attached patch?

Cheers,
Andreas.

[-- Attachment #2: xdr-input-validation.diff --]
[-- Type: text/x-diff, Size: 1196 bytes --]

From: Andreas Gruenbacher <agruen@suse.de>
Subject: Overflow in xdr input validation

The bounds check in xdr_xcode_array2 can overflow. Reported by
Florian Weimer <fw@deneb.enyo.de>.

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

Index: linux-2.6.5/net/sunrpc/xdr.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/xdr.c
+++ linux-2.6.5/net/sunrpc/xdr.c
@@ -989,8 +989,7 @@ xdr_xcode_array2(struct xdr_buf *buf, un
 			return -EINVAL;
 	} else {
 		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
-		    (unsigned long) base + 4 + desc->array_len *
-				    desc->elem_size > buf->len)
+		    desc->array_len > (buf->len - base - 4) / desc->elem_size)
 			return -EINVAL;
 	}
 	base += 4;
@@ -1158,8 +1157,8 @@ int
 xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
 		  struct xdr_array2_desc *desc)
 {
-	if ((unsigned long) base + 4 + desc->array_len * desc->elem_size >
-	    buf->head->iov_len + buf->page_len + buf->tail->iov_len)
+	if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
+	    base < desc->array_len * desc->elem_size + 4)
 		return -EINVAL;
 
 	return xdr_xcode_array2(buf, base, desc, 1);

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Potential xdr_xcode_array2 security issue
  2005-06-23  9:53   ` Andreas Gruenbacher
@ 2005-06-23 10:45     ` Florian Weimer
  2005-06-23 11:00       ` Andreas Gruenbacher
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Weimer @ 2005-06-23 10:45 UTC (permalink / raw)
  To: Andreas Gruenbacher
  Cc: Trond Myklebust, Linux Kernel Mailing List, Olaf Kirch

* Andreas Gruenbacher:

> On Thursday 23 June 2005 07:48, Florian Weimer wrote:
>> This looks suspiciously like CVE-2002-0391.
>
> Thanks, Florian. How about the attached patch?

I don't know the code, so I can't tell if you must protect against
desc->elem_size beign zero.  I also don't understand the second hunk.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Potential xdr_xcode_array2 security issue
  2005-06-23 10:45     ` Potential xdr_xcode_array2 security issue Florian Weimer
@ 2005-06-23 11:00       ` Andreas Gruenbacher
  0 siblings, 0 replies; 4+ messages in thread
From: Andreas Gruenbacher @ 2005-06-23 11:00 UTC (permalink / raw)
  To: Florian Weimer; +Cc: Trond Myklebust, Linux Kernel Mailing List, Olaf Kirch

On Thursday 23 June 2005 12:45, Florian Weimer wrote:
> [...] I can't tell if you must protect against desc->elem_size beign zero.

No.

-- Andreas.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-23 11:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <200506230502.j5N52PWP007955@hera.kernel.org>
2005-06-23  5:48 ` Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) Florian Weimer
2005-06-23  9:53   ` Andreas Gruenbacher
2005-06-23 10:45     ` Potential xdr_xcode_array2 security issue Florian Weimer
2005-06-23 11:00       ` Andreas Gruenbacher

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox