Re: [PATCH] Prevent offset + size overflow.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

> On February 10, 2015 at 3:56 AM Lucas De Marchi <lucas.de.marchi@xxxxxxxxx>
> wrote:
> > -       if (min_size > elf->size) {
> > +       if (ULLONG_MAX - *offset < *size || min_size > elf->size) {

> -       min_size = *offset + *size;
> -       if (min_size > elf->size) {
> +       if (__builtin_uaddl_overflow(*offset, *size, &min_size)
> +           || min_size > elf->size) {

If at all, it would have to be __builtin_uaddll_overflow due to uint64_t even on
32 bit systems. But even then the prototype looks a bit off to me:

from https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
__builtin_uaddll_overflow (unsigned long long int a, unsigned long long int b,
unsigned long int *res)

I hope it's a typo and they meant "unsigned long long int *res", otherwise that
built-in function by itself is prone to truncation.

If it works, i.e. the poc.ko module doesn't trigger a segmentation fault, I am
fine with that solution. When it's in the tree, I will create fixes for the
other occurrences in that style as well.

Please keep in mind that these libkmod issues are not limited to just modinfo.
The tool modinfo is just the easiest way to trigger them, because it doesn't
need any advanced permissions.


Tobias
--
To unsubscribe from this list: send the line "unsubscribe linux-modules" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux