lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 28 May 2015 14:04:23 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	"Jason A. Donenfeld" <Jason@...c4.com>
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
	Shigekatsu Tateno <shigekatsu.tateno@...el.com>
Subject: Re: [oss-security] Re: [PATCH v2 4/4] ozwpan: unchecked signed
 subtraction leads to DoS

On Tue, May 26, 2015 at 04:34:55PM +0200, Jason A. Donenfeld wrote:
> On Tue, May 26, 2015 at 4:06 PM, Dan Carpenter <dan.carpenter@...cle.com> wrote:
> > You sure do like wrapping to a high value and testing the result for
> > wrapping instead of validating before doing the subtraction...
> 
> I do indeed. It seems like asking "did it overflow?" is more
> straight-forward and easier to read than trying to come up with the
> necessary conditions to check for "will it overflow?". Personal
> preference, I guess.

It's really not simpler to understand though.  Also future static
checkers will complain that subtracting from a user variable and you
might underflow.  I am updating my static checker to detect these.
Also overflow and truncate might not be the right fix, maybe it's better
to just drop the invalid request (patch 2/4).

What's going on with the mailing list?  We seem to be losing people from
the CC.  I deliberately added Shigekatsu Tateno, and it says he was on
the CC in my outbox but now he isn't.

Maybe we should just delete these ozwpan drivers entirely...  They were
merged when Ozmodevices was its own company and I don't think anyone is
working on them any more.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ