[SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Steve Underwood: "Re: Are there kernel testing suites out there? We need them."
• Previous message: Alan Cox: "Re: (reiserfs) RE: (reiserfs) Re: I discussed reading directories as files with"
• Next in thread: David S. Miller: "Re: [SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?"
• Maybe reply: David S. Miller: "Re: [SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?"

I could be wrong, but it looks like 2.3.10p3 has a kernel mode buffer
overflow. Luckily it will only affect sparc - the only arch to use the new
"ptrace_writedata" function.

The problem is signed/unsigned conversion. The "len" arg to
ptrace_writedata is signed int, so as a user I set it to -1. The length
check only checks for exceeding the buffer size; -1 passes the check.
When we pass -1 to copy_from_user, it is converted to unsigned, i.e. ~4Gb
;-)

These subtle signed/unsigned conversions crop up time and time again :-/

Chris

PS. The corresponding ptrace read function looks similarly affected.

+int ptrace_writedata(struct task_struct *tsk, char * src, unsigned long
dst, int len)
+{
+ int copied = 0;
+ while (len) {
+ char buf[128];
+ int this_len, retval;
+
+ this_len = (len > sizeof(buf)) ? sizeof(buf) : len;
+ if (copy_from_user(buf, src, this_len))

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Steve Underwood: "Re: Are there kernel testing suites out there? We need them."
• Previous message: Alan Cox: "Re: (reiserfs) RE: (reiserfs) Re: I discussed reading directories as files with"
• Next in thread: David S. Miller: "Re: [SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?"
• Maybe reply: David S. Miller: "Re: [SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?"