[v2 PATCH] lib/mpi: Fix buffer overrun when SG is too long
Herbert Xu
herbert at gondor.apana.org.au
Wed Dec 21 06:53:58 UTC 2022
On Tue, Dec 20, 2022 at 08:30:16PM +0000, Eric Biggers wrote:
>
> > Tried, could not boot the UML kernel.
> >
> > After looking, it seems we have to call sg_miter_stop(). Or alternatively,
> > we could let sg_miter_next() be called but not writing anything inside the
> > loop.
> >
> > With either of those fixes, the tests pass (using one scatterlist).
Thanks for the quick feedback Roberto!
> I think it should look like:
>
> while (nbytes) {
> sg_miter_next(&miter);
> ...
> }
> sg_miter_stop(&miter);
You're right Eric. However, we could also do it by simply not
checking nbytes since we already set nents according to nbytes
at the top of the function.
---8<---
The helper mpi_read_raw_from_sgl sets the number of entries in
the SG list according to nbytes. However, if the last entry
in the SG list contains more data than nbytes, then it may overrun
the buffer because it only allocates enough memory for nbytes.
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Reported-by: Roberto Sassu <roberto.sassu at huaweicloud.com>
Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c
index 39c4c6731094..157ef532a6a2 100644
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -504,7 +501,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
while (sg_miter_next(&miter)) {
buff = miter.addr;
- len = miter.length;
+ len = min_t(unsigned, miter.length, nbytes);
+ nbytes -= len;
for (x = 0; x < len; x++) {
a <<= 8;
--
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Linux-security-module-archive
mailing list