lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20121030190032.GB5044@thunk.org>
Date:	Tue, 30 Oct 2012 15:00:32 -0400
From:	Theodore Ts'o <tytso@....edu>
To:	Behan Webster <behanw@...verseincode.com>
Cc:	linux-ext4@...r.kernel.org, Mark Charlebois <charlebm@...il.com>
Subject: Re: [PATCH] Remove VLAIS usage from JBD2 code

On Tue, Oct 30, 2012 at 02:40:04PM -0400, Behan Webster wrote:
> From: Mark Charlebois <charlebm@...il.com>
> 
> The use of variable length arrays in structs (VLAIS) in the Linux Kernel code
> precludes the use of compilers which don't implement VLAIS (for instance the
> Clang compiler). Since ctx is always a 32-bit CRC, hard coding a size of 4
> bytes accomplishes the same thing without the use of VLAIS. This is the same
> technique already employed in fs/ext4/ext4.h
> 
> Signed-off-by: Mark Charlebois <charlebm@...il.com>
> Signed-off-by: Behan Webster <behanw@...verseincode.com>

That's reasonable, but in order to be safe to make sure we don't
accidentally introduce a stack overrun bug at some point in the
future, we should do something like this instead

+	#define JBD_MAX_CHECKSUM_SIZE 4
	.
	.
	.

-		char ctx[crypto_shash_descsize(journal->j_chksum_driver)];
+		char ctx[JBD_MAX_CHECKSUM_SIZE];
	.
	.
	.
+		BUG_ON(crypto_shash_descsize(journal->j_chksum_driver) >
+ 		       JBD_MAX_CHECKSUM_SIZE);


I just like being careful and paranoid; using magic numeric constants
for buffer sizes is just a scary thing to do.  If you could resubmit
the patch with this change, I'd really appreciate it.  Thanks!!

    	       	    	    	       - Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ