lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <35F16A63-E946-4467-AD4D-D5E1331EA4D5@kernel.org>
Date:   Thu, 02 Mar 2023 17:37:51 -0800
From:   Kees Cook <kees@...nel.org>
To:     Nick Desaulniers <ndesaulniers@...gle.com>,
        Kees Cook <keescook@...omium.org>
CC:     Jakub Kicinski <kuba@...nel.org>,
        Andy Shevchenko <andy@...nel.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nicolas Schier <nicolas@...sle.eu>, Tom Rix <trix@...hat.com>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        Miroslav Benes <mbenes@...e.cz>,
        Marco Elver <elver@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Walleij <linus.walleij@...aro.org>,
        Cezary Rojewski <cezary.rojewski@...el.com>,
        Mark Brown <broonie@...nel.org>, Puyou Lu <puyou.lu@...il.com>,
        linux-hardening@...r.kernel.org, linux-kbuild@...r.kernel.org,
        llvm@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fortify: Improve buffer overflow reporting

On March 2, 2023 3:21:11 PM PST, Nick Desaulniers <ndesaulniers@...gle.com> wrote:
>On Thu, Mar 2, 2023 at 2:58 PM Kees Cook <keescook@...omium.org> wrote:
>>
>> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
>> index c9de1f59ee80..981e2838f99a 100644
>> --- a/include/linux/fortify-string.h
>> +++ b/include/linux/fortify-string.h
>> @@ -170,11 +170,13 @@ __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
>>  char *strcat(char * const POS p, const char *q)
>>  {
>>         size_t p_size = __member_size(p);
>> +       size_t size;
>>
>>         if (p_size == SIZE_MAX)
>>                 return __underlying_strcat(p, q);
>> -       if (strlcat(p, q, p_size) >= p_size)
>> -               fortify_panic(__func__);
>> +       size = strlcat(p, q, p_size);
>> +       if (p_size < size)
>
>What happens when they're equal? I think this patch changes
>behavior...? Intentional?
>
>Did flipping this conditional drop what should be `<=`?
>
>Was there an off by one, or is this version of this patch potentially
>introducing one? Or am I misremembering my boolean algebra?

Whoops! Thanks for catching that. I was going too fast. And I'm bothered that my regression tests missed it. :|

I will send a v2...

-Kees


-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ