| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1442863184-17935-3-git-send-email-toshi.kani@hpe.com>
Date: Mon, 21 Sep 2015 13:19:44 -0600
From: Toshi Kani <toshi.kani@....com>
To: mchehab@....samsung.com, bp@...en8.de, dougthompson@...ssion.com
Cc: linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org,
elliott@....com, tony.luck@...el.com,
Toshi Kani <toshi.kani@....com>
Subject: [PATCH 2/2] EDAC: Fix sysfs dimm_label store operation
Sysfs "dimm_label" and "chX_dimm_label" have the following issues
in their store operation.
1) A newline-terminated input string causes redundant newlines
# echo "test" > /sys/bus/mc0/devices/dimm0/dimm_label
# cat /sys/bus/mc0/devices/dimm0/dimm_label
test
# od -bc /sys/bus/mc0/devices/dimm0/dimm_label
0000000 164 145 163 164 012 012
t e s t \n \n
0000006
2) The original label string (31 characters) cannot be stored due to
an improper size check
# echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0" \
> /sys/bus/mc0/devices/dimm0/dimm_label
# cat /sys/bus/mc0/devices/dimm0/dimm_label
# od -bc /sys/bus/mc0/devices/dimm0/dimm_label
0000000 012 012
\n \n
0000002
3) An input string longer than the buffer size results a wrong label
info as it allows a retry with the remaining string.
# echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0_TEST" \
> /sys/bus/mc0/devices/dimm0/dimm_label
# cat /sys/bus/mc0/devices/dimm0/dimm_label
_TEST
Fix these issues by making the following changes:
1) Replace a newline character at the end with a null, if any.
2) Check the label buffer size with 'sizeof(dimm->label)'.
3) Fail a request if its string exceeds the label buffer size.
Signed-off-by: Toshi Kani <toshi.kani@....com>
Cc: Mauro Carvalho Chehab <mchehab@....samsung.com>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Doug Thompson <dougthompson@...ssion.com>
Cc: Robert Elliott <elliott@....com>
---
drivers/edac/edac_mc_sysfs.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
index 8983755..f2ea914 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -241,13 +241,14 @@ static ssize_t channel_dimm_label_store(struct device *dev,
unsigned chan = to_channel(mattr);
struct rank_info *rank = csrow->channels[chan];
- ssize_t max_size = 0;
+ if (count == 0 || count > sizeof(rank->dimm->label))
+ return -EINVAL;
- max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1);
- strncpy(rank->dimm->label, data, max_size);
- rank->dimm->label[max_size] = '\0';
+ strncpy(rank->dimm->label, data, count);
+ if (rank->dimm->label[count - 1] == '\n')
+ rank->dimm->label[count - 1] = '\0';
- return max_size;
+ return count;
}
/* show function for dynamic chX_ce_count attribute */
@@ -495,13 +496,14 @@ static ssize_t dimmdev_label_store(struct device *dev,
{
struct dimm_info *dimm = to_dimm(dev);
- ssize_t max_size = 0;
+ if (count == 0 || count > sizeof(dimm->label))
+ return -EINVAL;
- max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1);
- strncpy(dimm->label, data, max_size);
- dimm->label[max_size] = '\0';
+ strncpy(dimm->label, data, count);
+ if (dimm->label[count - 1] == '\n')
+ dimm->label[count - 1] = '\0';
- return max_size;
+ return count;
}
static ssize_t dimmdev_size_show(struct device *dev,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists