lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <YmEOn7LrVjJuybvg@hovoldconsulting.com> Date: Thu, 21 Apr 2022 09:58:23 +0200 From: Johan Hovold <johan@...nel.org> To: Kees Cook <keescook@...omium.org> Cc: Jann Horn <jannh@...gle.com>, kernel test robot <lkp@...el.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-usb@...r.kernel.org, stable@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, Arnd Bergmann <arnd@...db.de> Subject: Re: [PATCH] USB: serial: Fix heap overflow in WHITEHEAT_GET_DTR_RTS [ +CC: Arnd ] On Wed, Apr 20, 2022 at 11:11:26AM -0700, Kees Cook wrote: > On Wed, Apr 20, 2022 at 02:33:06PM +0200, Jann Horn wrote: > > On Wed, Apr 20, 2022 at 10:14 AM Johan Hovold <johan@...nel.org> wrote: > > > On Mon, Apr 18, 2022 at 09:17:42PM -0700, Kees Cook wrote: > > > > This looks like it's harmless, as both the source and the destinations are > > > > currently the same allocation size (4 bytes) and don't use their padding, > > > > but if anything were to ever be added after the "mcr" member in "struct > > > > whiteheat_private", it would be overwritten. The structs both have a > > > > single u8 "mcr" member, but are 4 bytes in padded size. The memcpy() > > > > destination was explicitly targeting the u8 member (size 1) with the > > > > length of the whole structure (size 4), triggering the memcpy buffer > > > > overflow warning: > > > > > > Ehh... No. The size of a structure with a single u8 is 1, not 4. There's > > > nothing wrong with the current code even if the use of memcpy for this > > > is a bit odd. > > I thought that was surprising too, and suspected it was something > specific to the build (as Jann also suggested). I tracked it down[1] to > "-mabi=apcs-gnu", which is from CONFIG_AEABI=n. > > whiteheat_private { > __u8 mcr; /* 0 1 */ > > /* size: 4, cachelines: 1, members: 1 */ > /* padding: 3 */ > /* last cacheline: 4 bytes */ > }; I stand corrected, thanks. Do we have other ABIs that can increase the alignment of structures like this? Skimming lore reveals a few subsystems that have started depending on !OABI to not have to deal with this. Apparently the old ARM ABI is deprecated in user space since gcc-4.6: https://lore.kernel.org/all/20190304193723.657089-1-arnd@arndb.de/ Perhaps time to drop support from the kernel too? > Given nothing actually uses "struct whiteheat_dr_info", except for the > sizing (har har), I suspect the better solution is just to do: > > info->mcr = command_info->result_buffer[0]; Yeah, that works for now. Ideally, we'd cast the result buffer to struct whiteheat_dr_info and access its single field. But that's not what current code does and the above is no less confusing. Patch applied, thanks. Johan
Powered by blists - more mailing lists