* Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) [not found] <200506230502.j5N52PWP007955@hera.kernel.org> @ 2005-06-23 5:48 ` Florian Weimer 2005-06-23 9:53 ` Andreas Gruenbacher 0 siblings, 1 reply; 4+ messages in thread From: Florian Weimer @ 2005-06-23 5:48 UTC (permalink / raw) To: Linux Kernel Mailing List Cc: Andreas Gruenbacher, Olaf Kirch, Trond Myklebust * Linux Kernel Mailing List: > +xdr_xcode_array2(struct xdr_buf *buf, unsigned int base, > + struct xdr_array2_desc *desc, int encode) > +{ > + char *elem = NULL, *c; > + unsigned int copied = 0, todo, avail_here; > + struct page **ppages = NULL; > + int err; > + > + if (encode) { > + if (xdr_encode_word(buf, base, desc->array_len) != 0) > + return -EINVAL; > + } else { > + if (xdr_decode_word(buf, base, &desc->array_len) != 0 || > + (unsigned long) base + 4 + desc->array_len * > + desc->elem_size > buf->len) > + return -EINVAL; > + } This looks suspiciously like CVE-2002-0391. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) 2005-06-23 5:48 ` Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) Florian Weimer @ 2005-06-23 9:53 ` Andreas Gruenbacher 2005-06-23 10:45 ` Potential xdr_xcode_array2 security issue Florian Weimer 0 siblings, 1 reply; 4+ messages in thread From: Andreas Gruenbacher @ 2005-06-23 9:53 UTC (permalink / raw) To: Trond Myklebust; +Cc: Florian Weimer, Linux Kernel Mailing List, Olaf Kirch [-- Attachment #1: Type: text/plain, Size: 166 bytes --] On Thursday 23 June 2005 07:48, Florian Weimer wrote: > This looks suspiciously like CVE-2002-0391. Thanks, Florian. How about the attached patch? Cheers, Andreas. [-- Attachment #2: xdr-input-validation.diff --] [-- Type: text/x-diff, Size: 1196 bytes --] From: Andreas Gruenbacher <agruen@suse.de> Subject: Overflow in xdr input validation The bounds check in xdr_xcode_array2 can overflow. Reported by Florian Weimer <fw@deneb.enyo.de>. Signed-off-by: Andreas Gruenbacher <agruen@suse.de> Index: linux-2.6.5/net/sunrpc/xdr.c =================================================================== --- linux-2.6.5.orig/net/sunrpc/xdr.c +++ linux-2.6.5/net/sunrpc/xdr.c @@ -989,8 +989,7 @@ xdr_xcode_array2(struct xdr_buf *buf, un return -EINVAL; } else { if (xdr_decode_word(buf, base, &desc->array_len) != 0 || - (unsigned long) base + 4 + desc->array_len * - desc->elem_size > buf->len) + desc->array_len > (buf->len - base - 4) / desc->elem_size) return -EINVAL; } base += 4; @@ -1158,8 +1157,8 @@ int xdr_encode_array2(struct xdr_buf *buf, unsigned int base, struct xdr_array2_desc *desc) { - if ((unsigned long) base + 4 + desc->array_len * desc->elem_size > - buf->head->iov_len + buf->page_len + buf->tail->iov_len) + if (buf->head->iov_len + buf->page_len + buf->tail->iov_len - + base < desc->array_len * desc->elem_size + 4) return -EINVAL; return xdr_xcode_array2(buf, base, desc, 1); ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Potential xdr_xcode_array2 security issue 2005-06-23 9:53 ` Andreas Gruenbacher @ 2005-06-23 10:45 ` Florian Weimer 2005-06-23 11:00 ` Andreas Gruenbacher 0 siblings, 1 reply; 4+ messages in thread From: Florian Weimer @ 2005-06-23 10:45 UTC (permalink / raw) To: Andreas Gruenbacher Cc: Trond Myklebust, Linux Kernel Mailing List, Olaf Kirch * Andreas Gruenbacher: > On Thursday 23 June 2005 07:48, Florian Weimer wrote: >> This looks suspiciously like CVE-2002-0391. > > Thanks, Florian. How about the attached patch? I don't know the code, so I can't tell if you must protect against desc->elem_size beign zero. I also don't understand the second hunk. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Potential xdr_xcode_array2 security issue 2005-06-23 10:45 ` Potential xdr_xcode_array2 security issue Florian Weimer @ 2005-06-23 11:00 ` Andreas Gruenbacher 0 siblings, 0 replies; 4+ messages in thread From: Andreas Gruenbacher @ 2005-06-23 11:00 UTC (permalink / raw) To: Florian Weimer; +Cc: Trond Myklebust, Linux Kernel Mailing List, Olaf Kirch On Thursday 23 June 2005 12:45, Florian Weimer wrote: > [...] I can't tell if you must protect against desc->elem_size beign zero. No. -- Andreas. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-23 11:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200506230502.j5N52PWP007955@hera.kernel.org>
2005-06-23 5:48 ` Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) Florian Weimer
2005-06-23 9:53 ` Andreas Gruenbacher
2005-06-23 10:45 ` Potential xdr_xcode_array2 security issue Florian Weimer
2005-06-23 11:00 ` Andreas Gruenbacher
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox