lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <775D7FF5-052B-42B9-A1B3-3E6C0C8296DA@gmail.com>
Date: Thu, 1 May 2025 22:30:44 +0800
From: Alan Huang <mmpgouride@...il.com>
To: Jan Hendrik Farr <kernel@...rr.cc>,
 kent.overstreet@...ux.dev,
 Thorsten Blum <thorsten.blum@...lux.com>
Cc: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>,
 Nathan Chancellor <nathan@...nel.org>,
 Bill Wendling <morbo@...gle.com>,
 Kees Cook <kees@...nel.org>,
 regressions@...ts.linux.dev,
 linux-bcachefs@...r.kernel.org,
 linux-hardening@...r.kernel.org,
 LKML <linux-kernel@...r.kernel.org>,
 ardb@...nel.org,
 ojeda@...nel.org
Subject: Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in
 bch2_xattr_validate

On Oct 25, 2024, at 23:27, Jan Hendrik Farr <kernel@...rr.cc> wrote:
> 
> On 25 10:10:38, Miguel Ojeda wrote:
>> On Fri, Oct 25, 2024 at 3:15 AM Nathan Chancellor <nathan@...nel.org> wrote:
>>> 
>>> on the official submission.
>> 
>> Same -- please feel free to add:
>> 
>> Reviewed-by: Miguel Ojeda <ojeda@...nel.org>
>> 
>> One nit below that is fine either way:
>> 
>>>> +# clang needs to be at least 19.1.3 to avoid __bdos miscalculations
>>>> +# https://github.com/llvm/llvm-project/pull/110497
>>>> +# https://github.com/llvm/llvm-project/pull/112636
>>>> +# TODO: when gcc 15 is released remove the build test and add gcc version check
>> 
>> I would perhaps move these closer to the respective lines they are
>> comment on (i.e. `depends on` and `def_bool`).
>> 
> 
> Done, thanks!
> 
> config CC_HAS_COUNTED_BY
> # TODO: when gcc 15 is released remove the build test and add
> # a gcc version check
> def_bool $(success,echo 'struct flex { int count; int array[] __attribute__((__counted_by__(count))); };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror)
> # clang needs to be at least 19.1.3 to avoid __bdos miscalculations
> # https://github.com/llvm/llvm-project/pull/110497
> # https://github.com/llvm/llvm-project/pull/112636
> depends on !(CC_IS_CLANG && CLANG_VERSION < 190103)

Hello, 

Now there are users using gcc 15.1.1 came across the similar issue (they are fine with gcc 14.2.1 ):

	https://privatebin.net/?a0d4e97d590d71e1#9bLmp2Kb5NU6X6cZEucchDcu88HzUQwHUah8okKPReEt

I wonder if the __counted_by(x_name_len) in struct bch_xattr is needed, since there is also a value after x_name.

Thanks,
Alan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ