lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Jan 2015 08:31:09 -0700 From: Bjorn Helgaas <bhelgaas@...gle.com> To: Sasha Levin <sasha.levin@...cle.com> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Alex Williamson <alex.williamson@...hat.com>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Alexander Graf <agraf@...e.de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "open list:PCI SUBSYSTEM" <linux-pci@...r.kernel.org>, Kim Phillips <kim.phillips@...escale.com>, Stuart Yoder <stuart.yoder@...escale.com> Subject: Re: [PATCH v2] PCI/sysfs: off by two when checking the limit on driver_override length [+cc Kim, Stuart] On Wed, Jan 07, 2015 at 03:52:57PM -0500, Sasha Levin wrote: > When printing the driver_override parameter when it is 4095 and 4094 bytes > long the printing code would access invalid memory because we need count+1 > bytes for printing. Hi Sasha, I swear I'm not trying to be a nuisance, but wasn't there another fix for a different memory corruption problem? I was expecting two patches, but I only see one. If I understand this right, the problem is that driver_override_show() adds "\n" at the end of the driver name, and the whole string (driver name + newline) must fit within a page because sysfs show functions only have a page to put their data in. So the buffer overrun is in driver_override_show(), but the proposed fix is in driver_override_store(). I think that's too complicated. I'd rather use snprintf(..., PAGE_SIZE, ...) in driver_override_show() because that's a common pattern and it's easy to verify that it's correct. I don't think it's worth it to validate the length in driver_override_store(). I think the pattern in resume_store() should be sufficient, e.g., if (count && buf[count - 1] == '\n') count--; name = kstrndup(buf, count, GFP_KERNEL); if (!name) return -ENOMEM; pdev->driver_override = name; kfree(old); If a user sets a driver name that's 4KB long, and the output of driver_override_show() is truncated, that doesn't seem like a real issue. driver_override_store()/driver_override_show() in drivers/base/platform.c (added by 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")) is basically the same code, and it looks like it has the same two problems. Can you add fix those at the same time? Bjorn > Cc: <stable@...r.kernel.org> # v3.16+ > Fixes: 782a985d ("PCI: Introduce new device binding path using pci_dev.driver_override") > Cc: Alex Williamson <alex.williamson@...hat.com> > Cc: Bjorn Helgaas <bhelgaas@...gle.com> > Cc: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com> > Cc: Alexander Graf <agraf@...e.de> > Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> > Signed-off-by: Sasha Levin <sasha.levin@...cle.com> > --- > drivers/pci/pci-sysfs.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > index aa012fb..17459ed 100644 > --- a/drivers/pci/pci-sysfs.c > +++ b/drivers/pci/pci-sysfs.c > @@ -521,7 +521,8 @@ static ssize_t driver_override_store(struct device *dev, > struct pci_dev *pdev = to_pci_dev(dev); > char *driver_override, *old = pdev->driver_override, *cp; > > - if (count > PATH_MAX) > + /* We need to keep extra room for a newline */ > + if (count >= (PATH_MAX - 1)) > return -EINVAL; > > driver_override = kstrndup(buf, count, GFP_KERNEL); > -- > 1.7.10.4 > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists