From mboxrd@z Thu Jan 1 00:00:00 1970 From: "J. Bruce Fields" Subject: Re: [patch v2] sunrpc: integer underflow in rsc_parse() Date: Thu, 26 Feb 2015 15:40:46 -0500 Message-ID: <20150226204046.GH20495@fieldses.org> References: <20150224153401.GA12218@mwanda> <1424836484.13431.36.camel@willson.usersys.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Dan Carpenter , Trond Myklebust , Anna Schumaker , "David S. Miller" , Jeff Layton , Kinglong Mee , linux-nfs@vger.kernel.org, netdev@vger.kernel.org, "Eric W. Biederman" , Andrew Morton , Andy Lutomirski , Wang YanQing , linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org To: Simo Sorce Return-path: Content-Disposition: inline In-Reply-To: <1424836484.13431.36.camel@willson.usersys.redhat.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Tue, Feb 24, 2015 at 10:54:44PM -0500, Simo Sorce wrote: > On Tue, 2015-02-24 at 18:34 +0300, Dan Carpenter wrote: > > If we call groups_alloc() with invalid values then it's might lead to > > memory corruption. For example, with a negative value then we might not > > allocate enough for sizeof(struct group_info). > > > > Signed-off-by: Dan Carpenter > > --- > > v2: In v1, I changed groups_alloc(). The other places which call > > groups_alloc() check the value before calling. Eric wanted that, either > > have all the callers check, or all the callers rely on groups_alloc(). > > In the end, Bruce Fields said adding the check here was probably > > reasonable. > > > > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c > > index 224a82f..1095be9 100644 > > --- a/net/sunrpc/auth_gss/svcauth_gss.c > > +++ b/net/sunrpc/auth_gss/svcauth_gss.c > > @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, > > /* number of additional gid's */ > > if (get_int(&mesg, &N)) > > goto out; > > + if (N < 0 || N > NGROUPS_MAX) > > + goto out; > > status = -ENOMEM; > > rsci.cred.cr_group_info = groups_alloc(N); > > if (rsci.cred.cr_group_info == NULL) > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > I touched this code relatively recently, and this check looks correct. > Feel free to add Reviewed-by: Simo Sorce Thanks! I thought your below-the-line context was useful, so pulled a version of it into the commit. --b. commit 76cb4be993c0 Author: Dan Carpenter Date: Tue Feb 24 18:34:01 2015 +0300 sunrpc: integer underflow in rsc_parse() If we call groups_alloc() with invalid values then it's might lead to memory corruption. For example, with a negative value then we might not allocate enough for sizeof(struct group_info). (We're doing this in the caller for consistency with other callers of groups_alloc(). The other alternative might be to move the check out of all the callers into groups_alloc().) Signed-off-by: Dan Carpenter Reviewed-by: Simo Sorce Signed-off-by: J. Bruce Fields diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 224a82f24d3c..1095be9c80ab 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, /* number of additional gid's */ if (get_int(&mesg, &N)) goto out; + if (N < 0 || N > NGROUPS_MAX) + goto out; status = -ENOMEM; rsci.cred.cr_group_info = groups_alloc(N); if (rsci.cred.cr_group_info == NULL)