The patch titled
Subject: vmcore: fix PT_NOTE n_namesz, n_descsz overflow issue
has been added to the -mm tree. Its filename is
vmcore-fix-pt_note-n_namesz-n_descsz-overflow-issue.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/vmcore-fix-pt_note-n_namesz-n_descsz-overflow-issue.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/vmcore-fix-pt_note-n_namesz-n_descsz-overflow-issue.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: WANG Chao <chaowang@xxxxxxxxxx>
Subject: vmcore: fix PT_NOTE n_namesz, n_descsz overflow issue
When updating PT_NOTE header size (ie. p_memsz), an overflow issue
happens with the following bogus note entry:
n_namesz = 0xFFFFFFFF
n_descsz = 0x0
n_type = 0x0
This kind of note entry should be dropped during updating p_memsz. But
because n_namesz is 32bit, after (n_namesz + 3) & (~3), it's overflow to
0x0, the note entry size looks sane and reserved.
When userspace (eg. crash utility) is trying to access such bogus note,
it could lead to an unexpected behavior (eg. crash utility segment fault
because it's reading bogus address).
The source of bogus note hasn't been identified yet. At least we could
drop the bogus note so user space wouldn't be surprised.
Signed-off-by: WANG Chao <chaowang@xxxxxxxxxx>
Cc: Dave Anderson <anderson@xxxxxxxxxx>
Cc: Baoquan He <bhe@xxxxxxxxxx>
Cc: Randy Wright <rwright@xxxxxx>
Cc: Vivek Goyal <vgoyal@xxxxxxxxxx>
Cc: Paul Gortmaker <paul.gortmaker@xxxxxxxxxxxxx>
Cc: Fabian Frederick <fabf@xxxxxxxxx>
Cc: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Cc: Rashika Kheria <rashika.kheria@xxxxxxxxx>
Cc: Greg Pearson <greg.pearson@xxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/proc/vmcore.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff -puN fs/proc/vmcore.c~vmcore-fix-pt_note-n_namesz-n_descsz-overflow-issue fs/proc/vmcore.c
--- a/fs/proc/vmcore.c~vmcore-fix-pt_note-n_namesz-n_descsz-overflow-issue
+++ a/fs/proc/vmcore.c
@@ -546,8 +546,8 @@ static int __init update_note_header_siz
nhdr_ptr = notes_section;
while (nhdr_ptr->n_namesz != 0) {
sz = sizeof(Elf64_Nhdr) +
- ((nhdr_ptr->n_namesz + 3) & ~3) +
- ((nhdr_ptr->n_descsz + 3) & ~3);
+ (((u64)nhdr_ptr->n_namesz + 3) & ~3) +
+ (((u64)nhdr_ptr->n_descsz + 3) & ~3);
if ((real_sz + sz) > max_sz) {
pr_warn("Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x%x, n_descsz=0x%x\n",
nhdr_ptr->n_namesz, nhdr_ptr->n_descsz);
@@ -732,8 +732,8 @@ static int __init update_note_header_siz
nhdr_ptr = notes_section;
while (nhdr_ptr->n_namesz != 0) {
sz = sizeof(Elf32_Nhdr) +
- ((nhdr_ptr->n_namesz + 3) & ~3) +
- ((nhdr_ptr->n_descsz + 3) & ~3);
+ (((u64)nhdr_ptr->n_namesz + 3) & ~3) +
+ (((u64)nhdr_ptr->n_descsz + 3) & ~3);
if ((real_sz + sz) > max_sz) {
pr_warn("Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x%x, n_descsz=0x%x\n",
nhdr_ptr->n_namesz, nhdr_ptr->n_descsz);
_
Patches currently in -mm which might be from chaowang@xxxxxxxxxx are
origin.patch
vmcore-fix-pt_note-n_namesz-n_descsz-overflow-issue.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
