[Bug 1662397] Re: a suspicious integer overflow in libselinux/src/compute_user.c : 54
Seth Arnold
1662397 at bugs.launchpad.net
Wed Feb 8 01:57:36 UTC 2017
Thanks shqking.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1662397
Title:
a suspicious integer overflow in libselinux/src/compute_user.c : 54
Status in libselinux package in Ubuntu:
Invalid
Bug description:
Hello.
A suspicious integer overflow is found in libselinux/src/compute_user.c : 54.
The source code is here. (https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/compute_user.c#L54)
If variable "nel" can be crafted as 0xffff ffff, the integer addition
at line 54 would overflow to 0, leading to no memory space allocated.
This would further lead to buffer overflow at line 62 in a loop. Note
that vulnerable "nel" is read from a file "selinux_mnt/user",
following the path, i.e. line 27, line 28, line 45 and line 49.
Since I'm not an expert in the source code of libselinux, I'm not sure
whether "nel" can be assigned with that very big integer (0xffff
ffff). If so, this issue is a severe bug definitely. If not, it is a
false positive and please ignore it.
Thanks a lot.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libselinux/+bug/1662397/+subscriptions
More information about the foundations-bugs
mailing list