| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Sep 2023 09:58:56 +0800
From: liulongfang <liulongfang@...wei.com>
To: Dan Carpenter <dan.carpenter@...aro.org>,
Marion & Christophe JAILLET <christophe.jaillet@...adoo.fr>
CC: Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Zaibo Xu <xuzaibo@...wei.com>, <linux-kernel@...r.kernel.org>,
<kernel-janitors@...r.kernel.org>, <linux-crypto@...r.kernel.org>
Subject: Re: [PATCH] crypto: hisilicon/hpre - Fix a erroneous check after
snprintf()
On 2023/9/7 19:15, Dan Carpenter wrote:
> On Tue, Sep 05, 2023 at 07:27:47AM +0200, Marion & Christophe JAILLET wrote:
>>>
>>> The other snprintf in the same file also looks suspect.
>>
>> It looks correct to me.
>>
>> And HPRE_DBGFS_VAL_MAX_LEN being 20, it doesn't really matter. The string
>> can't be truncated with just a "%u\n".
>>
>
> drivers/crypto/hisilicon/hpre/hpre_main.c
> 884 ret = snprintf(tbuf, HPRE_DBGFS_VAL_MAX_LEN, "%u\n", val);
> 885 return simple_read_from_buffer(buf, count, pos, tbuf, ret);
>
> You can't pass the return value from snprintf() to simple_read_from_buffer().
> Otherwise the snprintf() checking turned a sprintf() write overflow into
> a read overflow, which is less bad but not ideal. It needs to be
> scnprintf().
>
Here only one "%u" data is written to buf, the return value ret cannot exceed 10,
and the length of tbuf is 20.
How did the overflow you mentioned occur?
Thanks,
Longfang.
> regards,
> dan carpenter
>
>
> .
>
Powered by blists - more mailing lists