lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090323164030.GA5988@nowhere>
Date:	Mon, 23 Mar 2009 17:40:31 +0100
From:	Frederic Weisbecker <fweisbec@...il.com>
To:	Daniel Mack <daniel@...aq.de>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kernel/trace/trace_functions_graph.c: fix nsecs_str
	buffer size

On Mon, Mar 23, 2009 at 05:10:37PM +0100, Daniel Mack wrote:
> In kernel/trace/trace_functions_graph.c, print_graph_duration(), len can
> be as low as 1 or 2, which could make snprintf() write beyond the
> buffer bounds. (Found by cppcheck, no real-world bug occured)
> 
> Signed-off-by: Daniel Mack <daniel@...aq.de>


Hi Daniel,


It can't really happen because nsecs_rem is a rest of a division
per 1000, so it will not exceed 3 digits (so it should be [4] and not
[5], btw).

I must confess I should have added a better comment on this
area.

We are printing a duration in usec with a part in nsec with the following
constraints:

_ never exceed 7 characters unless we are are upper 9999999 usecs
_ always keep the usecs consistants

Which means that while we have 4 or lesser digits for the usecs, we can
print the 3 digits of the nanosecs.

If we need 5 for usecs, drop the least significant nanosec digit.
If we need 6 for usecs, drop the two least significant nanosec digits

6754.543 is correct
67545.543 must become 67545.54
etc...

That's why we have:

len = strlen(msecs_str);

	/* Print nsecs (we don't want to exceed 7 numbers) */
	if (len < 7) {
		snprintf(nsecs_str, 8 - len, "%03lu", nsecs_rem);

The 8 - len inside snprintf is not a security against overflow but a
precision set. We know that it will never go upper 3 digits, but if we
have 6 digits for usecs, we want only 8 - 6 = 2 nsecs

Hmm, may be it should be 7 -len. I don't remember. Anyway, this part
must be fixed to handle msecs and align the row to the left...


Frederic.


> ---
>  kernel/trace/trace_functions_graph.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
> index 930c08e..7533b25 100644
> --- a/kernel/trace/trace_functions_graph.c
> +++ b/kernel/trace/trace_functions_graph.c
> @@ -281,7 +281,7 @@ print_graph_duration(unsigned long long duration, struct trace_seq *s)
>  	unsigned long nsecs_rem = do_div(duration, 1000);
>  	/* log10(ULONG_MAX) + '\0' */
>  	char msecs_str[21];
> -	char nsecs_str[5];
> +	char nsecs_str[8];
>  	int ret, len;
>  	int i;
>  
> -- 
> 1.6.2
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ