| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87648374-a8fe-8830-793e-eb3c15e4ac54@gmail.com>
Date: Thu, 22 Sep 2022 15:22:56 -0700
From: James Smart <jsmart2021@...il.com>
To: Kees Cook <keescook@...omium.org>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>
Cc: Sachin Sant <sachinp@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] scsi: scsi_transport_fc: Adjust struct fc_nl_event flex
array usage
On 9/21/2022 1:51 PM, Kees Cook wrote:
> In order to help the compiler reason about the destination buffer in
> struct fc_nl_event, add a flexible array member for this purpose.
> However, since the header is UAPI, it must not change size or layout, so
> a union is used.
>
> The allocation size calculations are also corrected (it was potentially
> allocating an extra 8 bytes), and the padding is zeroed to avoid leaking
> kernel heap memory contents.
>
> Detected at run-time by the recently added memcpy() bounds checking:
>
> memcpy: detected field-spanning write (size 8) of single field "&event->event_data" at drivers/scsi/scsi_transport_fc.c:581 (size 4)
>
> Reported-by: Sachin Sant <sachinp@...ux.ibm.com>
> Link: https://lore.kernel.org/linux-next/42404B5E-198B-4FD3-94D6-5E16CF579EF3@linux.ibm.com/
> Cc: "James E.J. Bottomley" <jejb@...ux.ibm.com>
> Cc: "Martin K. Petersen" <martin.petersen@...cle.com>
> Cc: linux-scsi@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
Kinda crazy way to resolve it, but looks fine.
Reviewed-by: James Smart <jsmart2021@...il.com>
-- james
Powered by blists - more mailing lists