| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 May 2018 11:52:11 +0200
From: Norbert Manthey <nmanthey@...zon.de>
To: "Manthey, Norbert" <nmanthey@...zon.de>
CC: Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
<stable@...r.kernel.org>, Alex Deucher <alexander.deucher@....com>,
Christian König <christian.koenig@....com>,
"David (ChunMing) Zhou" <David1.Zhou@....com>,
David Airlie <airlied@...ux.ie>,
Harry Wentland <harry.wentland@....com>,
Tony Cheng <tony.cheng@....com>,
Yongqiang Sun <yongqiang.sun@....com>,
Anthony Koo <Anthony.Koo@....com>,
Michel Dänzer <michel.daenzer@....com>,
Dmytro Laktyushkin <Dmytro.Laktyushkin@....com>,
Jordan Lazare <Jordan.Lazare@....com>,
Colin Ian King <colin.king@...onical.com>,
<amd-gfx@...ts.freedesktop.org>, <dri-devel@...ts.freedesktop.org>,
<linux-kernel@...r.kernel.org>,
"David Woodhouse" <dwmw2@...radead.org>
Subject: Re: [PATCH v2] drm: fix off-by-one in logger
Dear all,
I just noticed that replying to my earlier email thread failed, and that
I thereby created a new thread. The original thread is the following one:
https://lkml.org/lkml/2018/2/16/274
I am sorry for the confusion!
Best,
Norbert
On 05/23/2018 08:22 AM, Norbert Manthey wrote:
> The current implementation will leak a byte to the log via memmove. The
> specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
> termination character is only one byte large. To avoid this, factor out
> the error message, and furthermore make the second parameter of the
> append_entry function const.
>
> The full trace is as follows:
>
> In function ‘memmove’,
> from ‘append_entry’ at
> drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
> from ‘dm_logger_append_va’ at
> drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
> detected read beyond size of object passed as 2nd parameter
>
> Signed-off-by: Norbert Manthey <nmanthey@...zon.de>
> ---
> drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> index 31bee05..6ba8d0c 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> @@ -244,7 +244,7 @@ static void log_heading(struct log_entry *entry)
>
> static void append_entry(
> struct log_entry *entry,
> - char *buffer,
> + const char *buffer,
> uint32_t buf_size)
> {
> if (!entry->buf ||
> @@ -346,7 +346,9 @@ void dm_logger_append_va(
> if (size < LOG_MAX_LINE_SIZE - 1) {
> append_entry(entry, buffer, size);
> } else {
> - append_entry(entry, "LOG_ERROR, line too long\n", 27);
> + static const char msg[] = "LOG_ERROR, line too long\n";
> +
> + append_entry(entry, msg, sizeof(msg));
> }
> }
> }
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
Powered by blists - more mailing lists