lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50902453.9090404@converseincode.com>
Date:	Tue, 30 Oct 2012 15:02:43 -0400
From:	Behan Webster <behanw@...verseincode.com>
To:	Theodore Ts'o <tytso@....edu>
CC:	linux-ext4@...r.kernel.org, Mark Charlebois <charlebm@...il.com>
Subject: Re: [PATCH] Remove VLAIS usage from JBD2 code

On 12-10-30 03:00 PM, Theodore Ts'o wrote:
> On Tue, Oct 30, 2012 at 02:40:04PM -0400, Behan Webster wrote:
>> From: Mark Charlebois <charlebm@...il.com>
>>
>> The use of variable length arrays in structs (VLAIS) in the Linux Kernel code
>> precludes the use of compilers which don't implement VLAIS (for instance the
>> Clang compiler). Since ctx is always a 32-bit CRC, hard coding a size of 4
>> bytes accomplishes the same thing without the use of VLAIS. This is the same
>> technique already employed in fs/ext4/ext4.h
>>
>> Signed-off-by: Mark Charlebois <charlebm@...il.com>
>> Signed-off-by: Behan Webster <behanw@...verseincode.com>
> That's reasonable, but in order to be safe to make sure we don't
> accidentally introduce a stack overrun bug at some point in the
> future, we should do something like this instead
>
> +	#define JBD_MAX_CHECKSUM_SIZE 4
> 	.
> 	.
> 	.
>
> -		char ctx[crypto_shash_descsize(journal->j_chksum_driver)];
> +		char ctx[JBD_MAX_CHECKSUM_SIZE];
> 	.
> 	.
> 	.
> +		BUG_ON(crypto_shash_descsize(journal->j_chksum_driver) >
> + 		       JBD_MAX_CHECKSUM_SIZE);
>
>
> I just like being careful and paranoid; using magic numeric constants
> for buffer sizes is just a scary thing to do.  If you could resubmit
> the patch with this change, I'd really appreciate it.  Thanks!!
A very good idea. Will do. Expect it soon.

Behan

-- 
Behan Webster
behanw@...verseincode.com

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ