lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 19 May 2015 09:08:58 +0000
From:	Wang Long <long.wanglong@...wei.com>
To:	<rostedt@...dmis.org>, <jkosina@...e.cz>, <pmladek@...e.cz>,
	<gregkh@...uxfoundation.org>
CC:	<stable@...r.kernel.org>, <wanglong@...qinren.net>,
	<peifeiyue@...wei.com>, <linux-kernel@...r.kernel.org>,
	<paulmck@...ux.vnet.ibm.com>, <dzickus@...hat.com>,
	<x86@...nel.org>, <long.wanglong@...wei.com>,
	<morgan.wang@...wei.com>, <sasha.levin@...cle.com>
Subject: [PATCH v2 13/17] seq_buf: Fix seq_buf_bprintf() truncation

From: "Steven Rostedt (Red Hat)" <rostedt@...dmis.org>

commit 4d4eb4d4fbd9403682e2b75117b6b895531d8e01 upstream.

In seq_buf_bprintf(), bstr_printf() is used to copy the format into the
buffer remaining in the seq_buf structure. The return of bstr_printf()
is the amount of characters written to the buffer excluding the '\0',
unless the line was truncated!

If the line copied does not fit, it is truncated, and a '\0' is added
to the end of the buffer. But in this case, '\0' is included in the length
of the line written. To know if the buffer had overflowed, the return
length will be the same or greater than the length of the buffer passed in.

The check in seq_buf_bprintf() only checked if the length returned from
bstr_printf() would fit in the buffer, as the seq_buf_bprintf() is only
to be an all or nothing command. It either writes all the string into
the seq_buf, or none of it. If the string is truncated, the pointers
inside the seq_buf must be reset to what they were when the function was
called. This is not the case. On overflow, it copies only part of the string.

The fix is to change the overflow check to see if the length returned from
bstr_printf() is less than the length remaining in the seq_buf buffer, and not
if it is less than or equal to as it currently does. Then seq_buf_bprintf()
will know if the write from bstr_printf() was truncated or not.

Link: http://lkml.kernel.org/r/1425500481.2712.27.camel@perches.com

Cc: stable@...r.kernel.org
Reported-by: Joe Perches <joe@...ches.com>
[wanglong: backport to 3.10 stable]
Signed-off-by: Wang Long <long.wanglong@...wei.com>
Signed-off-by: Steven Rostedt <rostedt@...dmis.org>
---
 lib/seq_buf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/seq_buf.c b/lib/seq_buf.c
index 795dd94..f25c33b 100644
--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -154,7 +154,7 @@ int seq_buf_bprintf(struct seq_buf *s, const char *fmt, const u32 *binary)
 
 	if (s->len < s->size) {
 		ret = bstr_printf(s->buffer + s->len, len, fmt, binary);
-		if (seq_buf_can_fit(s, ret)) {
+		if (s->len + ret < s->size) {
 			s->len += ret;
 			return 0;
 		}
-- 
1.8.3.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ