On Sun, 2003-01-26 at 19:35, Yichen Xie wrote:
> Hi all,
>
> Attached are 87 potential buffer overruns in 2.5.53. Most arise from
> improper bounds checks, and some might be security holes where the array
> index comes from an untrusted source (e.g. copy_from_user). In the bug
> report, "len" refers to the length of the array or buffer being
> accessed, and "off" refers to the offset/index that is being used to
> access it. (off >= len) corresponds to a buffer overrun, while (off < 0)
> signals an underrun.
>
> As always, confirmations and comments will be appreciated.
>
> Yichen
>
> [BUG] what if level < 0?
> /home/yxie/linux-2.5.53/fs/xfs/xfs_bmap_btree.c:1364:xfs_bmbt_lshift:
> ERROR:BUFFER:1364:1364:Array bounds error (off < 0)
> ((*cur).bc_ptrs[level], max(off) = -1)
> }
> if ((error = xfs_bmbt_updkey(cur, rkp, level + 1))) {
> XFS_BMBT_TRACE_CURSOR(cur, ERROR);
> return error;
> }
>
> Error --->
> cur->bc_ptrs[level]--;
> XFS_BMBT_TRACE_CURSOR(cur, EXIT);
> *stat = 1;
> return 0;
Hi,
I took a look at the callers of this code, level is always being passed
in as 0 or greater. Looking at it, we should really be using an unsigned
int for this variable.
Interesting that this is the only one in the file which showed up, there
are lots of array dereferences using level as the index in this file.
Steve
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Jan 31 2003 - 22:00:19 EST