lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081216231850.GA12692@dastardly.home.dghda.com>
Date:	Tue, 16 Dec 2008 23:18:50 +0000
From:	"Duane Griffin" <duaneg@...da.com>
To:	Evgeniy Dushistov <dushistov@...l.ru>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] ufs: ensure fast symlinks are NUL-terminated

On Tue, Dec 16, 2008 at 10:40:55PM +0300, Evgeniy Dushistov wrote:
> There is different types of ufs, one used 64 bit for "pointers to
> blocks", another 32 bit,
> so sizeof(UFS_I(inode)->i_u1.i_symlink))
> is not right choice every time,
> in ufs2 it should be
> sizeof(UFS_I(inode)->i_u1.u2_i_data) which 2 times bigger,
> 
> also there is hint for *BSD ufs
> 
> fs/ufs/ufs_fs.h:
> __fs32	fs_maxsymlinklen;/* max length of an internal symlink */
> 
> which may be used if ufs type ufs1 or ufs2

Hmm, I see. However it looks like ufs1_read_inode and ufs2_read_inode
both copy the same, ((UFS_NDADDR + UFS_NINDIR) * 4), amount of inline
symlink data. They also both copy it to ufs_inode_info->i_u1.i_symlink
(not that that matters, I suppose). Perhaps I'm being obtuse, but it
looks like inline ufs2 symlinks between 60 and 120 characters long are
being truncated to 60 characters, no?

There also doesn't seem to be any validation of (f)s_maxsymlinklen being
done. Unless I'm mistaken ufs_symlink could end up overwriting random
memory if it contains a large bogus value.

Does that all sound correct? If so would you like me to whip up a couple
of patches to fix it? I'll respin the NUL-termination patch on top of
those, if so.

> /Evgeniy

Cheers,
Duane.

-- 
"I never could learn to drink that blood and call it wine" - Bob Dylan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ