[34910] in bugtraq
Re: Linux Kernel sctp_setsockopt() Integer Overflow
daemon@ATHENA.MIT.EDU (Michael Tokarev)
Sat May 15 16:02:37 2004
Message-ID: <40A66059.5040506@tls.msk.ru>
Date: Sat, 15 May 2004 22:24:25 +0400
From: Michael Tokarev <mjt@tls.msk.ru>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
In-Reply-To: <20040511185856.88333.qmail@web25103.mail.ukl.yahoo.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Shaun Colley wrote:
[]
> Below is the vulnerable call:
>
> ---
> if (NULL == (tmp = kmalloc(optlen + 1, GFP_KERNEL))) {
> retval = -ENOMEM;
> goto out_unlock;
> }
> ---
>
> Because kmalloc() takes the 'count' variable as an
> unsigned number, negative numbers are interpreted as
> large unsigned numbers. However, if -1 is passed as
> 'optlen' (represented as 0xffffffff (hex) in unsigned
> variables, which is the largest value an unsigned
....
[]
> And thus, due to the integer overflow, 0 is passed to
> kmalloc(), causing too little memory to be allocated
> to hold 'optval'.
But kmalloc(0) will return NULL, and the whole setsockopt
will finish with errno set to ENOMEM.
From 2.4 mm/slab.c:
void * kmalloc (size_t size, int flags)
{
cache_sizes_t *csizep = cache_sizes;
for (; csizep->cs_size; csizep++) {
if (size > csizep->cs_size)
continue;
return __kmem_cache_alloc(flags & GFP_DMA ?
csizep->cs_dmacachep : csizep->cs_cachep, flags);
}
return NULL;
}
So, where's the bug?
/mjt
