lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 28 May 2013 19:21:01 +0800
From:	Chen Gang <gang.chen@...anux.com>
To:	Will Deacon <will.deacon@....com>
CC:	Catalin Marinas <Catalin.Marinas@....com>,
	"vgupta@...opsys.com" <vgupta@...opsys.com>,
	Tony Lindgren <tony@...mide.com>,
	Santosh Shilimkar <santosh.shilimkar@...com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Rusty Russell <rusty@...tcorp.com.au>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Linux-Arch <linux-arch@...r.kernel.org>
Subject: Re: [PATCH v2] arch: arm64: kernel: sprintf(), 'str' needs additional
 1 byte for failure processing

On 05/28/2013 06:42 PM, Will Deacon wrote:
> Hello,
> 
> On Mon, May 27, 2013 at 03:00:12AM +0100, Chen Gang wrote:
>> > 
>> > When failure occurs at the last looping cycle (when 'i == 0'), it will
>> > print "bad PC value" instead of "(%08x) ", which needs additional 1
>> > byte.
>> > 
>> > If not add 1 byte, the 'str' may be memory overflow.
>> > 
>> > 
>> > Signed-off-by: Chen Gang <gang.chen@...anux.com>
>> > ---
>> >  arch/arm64/kernel/traps.c |    2 +-
>> >  1 files changed, 1 insertions(+), 1 deletions(-)
>> > 
>> > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
>> > index 61d7dd2..c2f68d2 100644
>> > --- a/arch/arm64/kernel/traps.c
>> > +++ b/arch/arm64/kernel/traps.c
>> > @@ -100,7 +100,7 @@ static void dump_instr(const char *lvl, struct pt_regs *regs)
>> >  {
>> >  	unsigned long addr = instruction_pointer(regs);
>> >  	mm_segment_t fs;
>> > -	char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
>> > +	char str[sizeof("00000000 ") * 5 + 2 + 1 + 1], *p = str;
>> >  	int i;
> Whilst this code is difficult to follow, I don't think it's incorrect.
> The size of the str array is:
> 
> 	sizeof("00000000 ") = 8 ('0's) + 1 (space) + 1 (NUL) = 10 bytes

Oh, it is my fault, I miss the "1 (NUL)".

> 	*5 = 50 bytes
> 	+2 (for the two brackets when i == 0) = 52 bytes
> 	+1 (this is for the "bad PC value") = 53 bytes
> 
> In the worst case (when the PC is bad) we print:
> 
> 	"%08x " x4 = (8 + 1 + 1) *4 = 40 bytes

Actually, it is 36 bytes, for sprintf() return the length excluding NUL.

  (although, we still need notice the last NUL)


> 	"bad PC value" = 12 + 1 = 13 bytes
> 
> so again, 53 bytes.
>

So again, 49 bytes. ;-)


> .. or have I missed a character somewhere?
> 

NO, I missed characters, but you 'find' more characters. :-)


All together, this patch is incorrect, original implementation will not
cause issue.


Thanks
-- 
Chen Gang

Asianux Corporation
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ