| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 08 Jul 2017 16:42:25 +0900
From: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
To: Meelis Roos <mroos@...ux.ee>
Cc: Linux Kernel list <linux-kernel@...r.kernel.org>
Subject: Re: namei_vfat.c array subscript is above array bounds
Meelis Roos <mroos@...ux.ee> writes:
>> Source is same with above?
>
> Yes, same checksums.
> CONFIG_X86_USE_3DNOW=y
> CONFIG_UBSAN=y
> CONFIG_UBSAN_SANITIZE_ALL=y
OK. Succeed to reproduce. gcc's ubsan (CONFIG_UBSAN_SANITIZE_ALL=y) with
CONFIG_X86_USE_3DNOW=y outputs warnings of that.
But warnings are strange. The target of source is,
vfat_create_shortname:
extlen = 0;
if (ext_start) {
for (p = ext, ip = ext_start; extlen < 3 && ip < end; ip++) {
chl = to_shortname_char(nls, charbuf, sizeof(charbuf),
ip, &ext_info);
if (chl == 0)
continue;
if ((extlen + chl) > 3) {
is_shortname = 0;
break;
}
for (chi = 0; chi < chl; chi++) {
*p++ = charbuf[chi];
extlen++;
}
if (extlen >= 3) {
if (ip + 1 != end)
is_shortname = 0;
break;
}
}
}
[...]
memcpy(name_res + 8, ext, extlen); <= here
name_res == name_res[11], but extlen never be bigger than 3 (if I'm not
missing something). And extlen is not constant, but gcc outputs the
warnings on __constant_memcpy3d().
#define memcpy(t, f, n) \
(__builtin_constant_p((n)) \
? __constant_memcpy3d((t), (f), (n)) \
: __memcpy3d((t), (f), (n)))
And changing
memcpy(name_res + 8, ext, extlen);
to
__builtin_memcpy(name_res + 8, ext, extlen);
doesn't output warnings.
So, I'm not sure though, it looks like the bug of ubsan(?). (BTW, for
now, you can set CONFIG_UBSAN_SANITIZE_ALL=n to disable ubsan.)
Thanks.
--
OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
Powered by blists - more mailing lists