From patchwork Thu Feb 26 20:40:46 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "J. Bruce Fields" X-Patchwork-Id: 5895941 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id A1F7BBF440 for ; Thu, 26 Feb 2015 20:41:09 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B7E96203A1 for ; Thu, 26 Feb 2015 20:41:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D04FD20398 for ; Thu, 26 Feb 2015 20:41:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753969AbbBZUkt (ORCPT ); Thu, 26 Feb 2015 15:40:49 -0500 Received: from fieldses.org ([173.255.197.46]:54202 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753643AbbBZUkt (ORCPT ); Thu, 26 Feb 2015 15:40:49 -0500 Received: by fieldses.org (Postfix, from userid 2815) id DE0BB40DB; Thu, 26 Feb 2015 15:40:46 -0500 (EST) Date: Thu, 26 Feb 2015 15:40:46 -0500 From: "J. Bruce Fields" To: Simo Sorce Cc: Dan Carpenter , Trond Myklebust , Anna Schumaker , "David S. Miller" , Jeff Layton , Kinglong Mee , linux-nfs@vger.kernel.org, netdev@vger.kernel.org, "Eric W. Biederman" , Andrew Morton , Andy Lutomirski , Wang YanQing , linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: Re: [patch v2] sunrpc: integer underflow in rsc_parse() Message-ID: <20150226204046.GH20495@fieldses.org> References: <20150224153401.GA12218@mwanda> <1424836484.13431.36.camel@willson.usersys.redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1424836484.13431.36.camel@willson.usersys.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Tue, Feb 24, 2015 at 10:54:44PM -0500, Simo Sorce wrote: > On Tue, 2015-02-24 at 18:34 +0300, Dan Carpenter wrote: > > If we call groups_alloc() with invalid values then it's might lead to > > memory corruption. For example, with a negative value then we might not > > allocate enough for sizeof(struct group_info). > > > > Signed-off-by: Dan Carpenter > > --- > > v2: In v1, I changed groups_alloc(). The other places which call > > groups_alloc() check the value before calling. Eric wanted that, either > > have all the callers check, or all the callers rely on groups_alloc(). > > In the end, Bruce Fields said adding the check here was probably > > reasonable. > > > > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c > > index 224a82f..1095be9 100644 > > --- a/net/sunrpc/auth_gss/svcauth_gss.c > > +++ b/net/sunrpc/auth_gss/svcauth_gss.c > > @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, > > /* number of additional gid's */ > > if (get_int(&mesg, &N)) > > goto out; > > + if (N < 0 || N > NGROUPS_MAX) > > + goto out; > > status = -ENOMEM; > > rsci.cred.cr_group_info = groups_alloc(N); > > if (rsci.cred.cr_group_info == NULL) > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > I touched this code relatively recently, and this check looks correct. > Feel free to add Reviewed-by: Simo Sorce Thanks! I thought your below-the-line context was useful, so pulled a version of it into the commit. --b. commit 76cb4be993c0 Author: Dan Carpenter Date: Tue Feb 24 18:34:01 2015 +0300 sunrpc: integer underflow in rsc_parse() If we call groups_alloc() with invalid values then it's might lead to memory corruption. For example, with a negative value then we might not allocate enough for sizeof(struct group_info). (We're doing this in the caller for consistency with other callers of groups_alloc(). The other alternative might be to move the check out of all the callers into groups_alloc().) Signed-off-by: Dan Carpenter Reviewed-by: Simo Sorce Signed-off-by: J. Bruce Fields --- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 224a82f24d3c..1095be9c80ab 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, /* number of additional gid's */ if (get_int(&mesg, &N)) goto out; + if (N < 0 || N > NGROUPS_MAX) + goto out; status = -ENOMEM; rsci.cred.cr_group_info = groups_alloc(N); if (rsci.cred.cr_group_info == NULL)