lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 20 Dec 2011 13:22:27 +0900
From:	Ryota Ozaki <ozaki.ryota@...il.com>
To:	KOSAKI Motohiro <kosaki.motohiro@...il.com>
Cc:	linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...e.de>,
	linux-mm@...ck.org, stable@...nel.org
Subject: Re: [PATCH][RESEND] mm: Fix off-by-one bug in print_nodes_state

Hi Kosaki-san,

I'm sorry for my late reply.
2011/12/19 KOSAKI Motohiro <kosaki.motohiro@...il.com>:
> (12/18/11 6:58 AM), Ryota Ozaki wrote:
>> /sys/devices/system/node/{online,possible} involve a garbage byte
>> because print_nodes_state returns content size + 1. To fix the bug,
>> the patch changes the use of cpuset_sprintf_cpulist to follow the
>> use at other places, which is clearer and safer.
>>
>> This bug was introduced since v2.6.24.
>>
>> Signed-off-by: Ryota Ozaki<ozaki.ryota@...il.com>
>> ---
>>   drivers/base/node.c |    8 +++-----
>>   1 files changed, 3 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/base/node.c b/drivers/base/node.c
>> index 5693ece..ef7c1f9 100644
>> --- a/drivers/base/node.c
>> +++ b/drivers/base/node.c
>> @@ -587,11 +587,9 @@ static ssize_t print_nodes_state(enum node_states state, char *buf)
>>   {
>>       int n;
>>
>> -     n = nodelist_scnprintf(buf, PAGE_SIZE, node_states[state]);
>> -     if (n>  0&&  PAGE_SIZE>  n + 1) {
>> -             *(buf + n++) = '\n';
>> -             *(buf + n++) = '\0';
>> -     }
>> +     n = nodelist_scnprintf(buf, PAGE_SIZE-2, node_states[state]);
>
> PAGE_SIZE-1. This seems another off by one. buf[n++] = '¥n' mean
> override old trailing '¥0' and buf[n] = '¥0' mean to append one byte.
> Then totally, we append one byte.

Thanks for pointing this out, you're right. (nodelist_)scnprintf returns
size-1 at most, thus we need to remain just one byte. I'll fix it in
the next patch.

Actually I bring the code from another and such the flaw can be found in other
functions. So I'll them as well.

  ozaki-r

>
>> +     buf[n++] = '\n';
>> +     buf[n] = '\0';
>>       return n;
>>   }
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ