From: David Laight <David.Laight@ACULAB.COM>
To: 'Roberto Sassu' <roberto.sassu@huaweicloud.com>,
"dhowells@redhat.com" <dhowells@redhat.com>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"paul@paul-moore.com" <paul@paul-moore.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"serge@hallyn.com" <serge@hallyn.com>,
"ebiggers@kernel.org" <ebiggers@kernel.org>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH v5 1/2] lib/mpi: Fix buffer overrun when SG is too long
Date: Fri, 30 Dec 2022 13:35:07 +0000 [thread overview]
Message-ID: <6949ced7c1014488b2d00ff26eba6b6b@AcuMS.aculab.com> (raw)
In-Reply-To: <20221227142740.2807136-2-roberto.sassu@huaweicloud.com>
From: Roberto Sassu
> Sent: 27 December 2022 14:28
>
> From: Herbert Xu <herbert@gondor.apana.org.au>
>
> The helper mpi_read_raw_from_sgl sets the number of entries in
> the SG list according to nbytes. However, if the last entry
> in the SG list contains more data than nbytes, then it may overrun
> the buffer because it only allocates enough memory for nbytes.
>
> Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
> Reported-by: Roberto Sassu <roberto.sassu@huaweicloud.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> ---
> lib/mpi/mpicoder.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c
> index 39c4c6731094..3cb6bd148fa9 100644
> --- a/lib/mpi/mpicoder.c
> +++ b/lib/mpi/mpicoder.c
> @@ -504,7 +504,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
>
> while (sg_miter_next(&miter)) {
> buff = miter.addr;
> - len = miter.length;
> + len = min_t(unsigned, miter.length, nbytes);
Technically that min_t() is incorrect.
miter.length is size_t (unsigned long on 64bit) and nbytes unsigned int.
Any cast needs to force the smaller type to the larger one.
(Clearly here the domain of the values is probably than 4G - but that isn't
the point. There must be some places where the sg length needs to
be size_t because 32 bits isn't enough.)
In reality min() is being completely over-zealous in its checking and
should allow comparisons where the signed-ness of the two values matches.
Search for the patch I posted before xmas.
David
> + nbytes -= len;
>
> for (x = 0; x < len; x++) {
> a <<= 8;
> --
> 2.25.1
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2022-12-30 13:35 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-27 14:27 [PATCH v5 0/2] KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() Roberto Sassu
2022-12-27 14:27 ` [PATCH v5 1/2] lib/mpi: Fix buffer overrun when SG is too long Roberto Sassu
2022-12-27 14:29 ` kernel test robot
2022-12-29 22:38 ` Eric Biggers
2022-12-30 13:35 ` David Laight [this message]
2022-12-30 15:39 ` Herbert Xu
2022-12-31 13:23 ` David Laight
2023-01-06 15:18 ` Herbert Xu
2023-01-16 8:57 ` Roberto Sassu
2023-01-16 9:06 ` Herbert Xu
2023-01-20 10:23 ` Roberto Sassu
2022-12-27 14:27 ` [PATCH v5 2/2] KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() Roberto Sassu
2022-12-29 22:39 ` Eric Biggers
2023-01-27 8:27 ` Roberto Sassu
2023-02-09 10:49 ` Roberto Sassu
2023-02-09 18:53 ` Eric Biggers
2023-02-09 22:46 ` Paul Moore
2023-02-10 3:56 ` Jarkko Sakkinen
2023-02-10 17:32 ` Paul Moore
2023-02-10 3:52 ` Jarkko Sakkinen
2023-05-26 7:35 ` Roberto Sassu
2023-06-01 21:00 ` Stefan Berger
2023-06-02 9:17 ` Roberto Sassu
2023-06-02 13:17 ` Eric Biggers
2023-06-02 13:39 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6949ced7c1014488b2d00ff26eba6b6b@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.