On Wed, Oct 31, 2012 at 5:31 AM, David Howells <dhowe...@redhat.com> wrote: > Kees Cook <keesc...@chromium.org> wrote: > >> Which means this loop will walk past the end of the memory (loop is >> bounded by n_sections, so secs[loop] can go past datalen). While >> data_addr and raw_data_size will stay bounded, the read of sec->name >> can be out of bounds. > > Assuming n_sections is checked, sec->name can't be out of bounds because it's > a char array, not a pointer. > >> (Also, do you want a "break" in there after the first .keylist is found, or >> is this intentionally "use last key list"?) > > Actually, no I don't. The loop also checks the limits on each section - which > I need to do since I have to individually digest the sections later. > > Attached is a patch I'm applying to pefile_parse_binary() to be more rigorous > about the checking of values in the PE binary.
Cool; looks good to me. When this gets into linux-next, we should probably spend more time staring at it. :) Thanks for the fixes! -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/