Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <B878C4E7-06FE-4032-8BA4-C195AB384738@gmail.com>
Date: Wed, 4 Apr 2012 00:19:43 -0400
From: Xi Wang <xi.wang@...il.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>,
 akuster <akuster@...sta.com>,
 "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: fix to CVE-2009-4307

On Apr 3, 2012, at 10:55 PM, Kurt Seifried wrote:
> For #2 I'm not sure how we handle something like a compiler possibly
> mangling code so that an issue is introduced (is that a compiler
> problem? a code problem? the intersection of both? Steve: can I get a
> comment/referees decision here =)

Thanks for bringing this up.

I think the compiler is all right in this case.  The code is not.

CVE-2009-4307 says that an attacker could trigger a division by
zero by crafting a large s_log_groups_per_flex.

The first commit (503358ae) fixes the division by zero.  The fix
is not perfect because:

1) Theoretically, a standard-conforming C compiler could generate
code that is still vulnerable to division by zero, but I was not
aware of any compilers doing that.

2) Logically, we should have groups_per_flex = 2^s_log_groups_per_flex,
and the fix doesn't really ensure that.  This is obviously not good,
but not sure how bad the consequence would be.

BTW, the second commit (d50f2ab6) might still allow a buffer overflow
later.  See another patch https://lkml.org/lkml/2012/2/20/422 (though
it was rejected).

In ext4_resize_fs():

   flexbg_size = 1 << es->s_log_groups_per_flex;
   ...
   flex_gd = alloc_flex_gd(flexbg_size);

and in alloc_flex_gd():

   flex_gd->count = flexbg_size;
   flex_gd->groups = kmalloc(sizeof(...) * flexbg_size, ...);

Note that the kmalloc size could be smaller than expected due to
multiplication overflow (flexbg_size = 1 << s_log_groups_per_flex
could be very large since s_log_groups_per_flex could be as large
as 31).  Array access flex_gd groups[i] could be out of bounds in
that case.

- xi

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.