| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Apr 2016 11:13:44 -0400 From: Peter Jones <pjones@...hat.com> To: Matt Fleming <matt@...eblueprint.co.uk> Cc: Laszlo Ersek <lersek@...hat.com>, Chris Wilson <chris@...is-wilson.co.uk>, intel-gfx@...ts.freedesktop.org, Jason Andryuk <jandryuk@...il.com>, Matthew Garrett <mjg59@...eos.com>, linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] lib: Always NUL terminate ucs2_as_utf8 On Thu, Apr 21, 2016 at 01:18:27PM +0100, Matt Fleming wrote: > ( Good Lord, I hate doing string manipulation in C ) (yep) > > On Wed, 20 Apr, at 03:25:32PM, Laszlo Ersek wrote: > > > > So, "len" does not include the room for the terminating NUL-byte here. > > When "len" is passed to ucs2_as_utf8(), with the proposed patch applied, > > a NUL byte will be produced in "name", but it will be at the price of a > > genuine character from the input variable name. > > Right, and this is a problem because we're trying to keep the names > consistent between efivarfs and the EFI variable data. Force > NUL-terminating the string is wrong, because if you have no room for > the NUL the caller should check for that. Sadly none do. > > On the flip-side, passing around non-NUL terminated strings is just > begging for these kinds of issues to come up. > > The fact is that the callers of ucs2_as_utf8() are passing it the > wrong 'len' argument. We want a NUL-terminated utf8 string and we're > passing a NUL-terminated ucs2 string. We should tell ucs2_as_utf8() it > has enough room to copy the NUL. > > Wouldn't this work (minus the return value checking)? I agree with your analysis, and your patch looks plausible. -- Peter
Powered by blists - more mailing lists