| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Mar 2023 21:42:02 +0100
From: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Kees Cook <keescook@...omium.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Jens Axboe <axboe@...nel.dk>,
Nathan Chancellor <nathan@...nel.org>,
"linux-block@...r.kernel.org" <linux-block@...r.kernel.org>,
clang-built-linux <llvm@...ts.linux.dev>,
linux-hardening@...r.kernel.org
Subject: Re: [GIT PULL] Block fixes for 6.3-rc3
On Fri, Mar 17, 2023 at 9:31 PM Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> 'enum m5mols_restype' should be in the range 0..2, but it seems to use
> a 64-bit compare against '16385' (and then a 32-bit compare against
> '8199') to decide it's out-of-bounds.
It is comparing against just the `.code` in the `m5mols_default_ffmt`
table, i.e. the `MEDIA_BUS_FMT_VYUY8_2X8` (8199 = 0x2007) and
`MEDIA_BUS_FMT_JPEG_1X8` (16385 = 0x4001), see
https://elixir.bootlin.com/linux/latest/source/drivers/media/i2c/m5mols/m5mols_core.c#L52.
So it is basically:
if (code == m5mols_default_ffmt[0].code)
return type;
if (type == 2)
continue;
++type;
if (code == m5mols_default_ffmt[1].code)
return type;
if (type == 2)
continue;
++type;
m5mols_default_ffmt[2].code -> out of bounds UB -> unreachable
If the condition had `++type` instead, it would not be a problem,
because the loop stops before we go into the out of bounds access thus
no UB.
Cheers,
Miguel
Powered by blists - more mailing lists