lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1442933883-21587-3-git-send-email-toshi.kani@hpe.com>
Date:	Tue, 22 Sep 2015 08:58:03 -0600
From:	Toshi Kani <toshi.kani@....com>
To:	mchehab@....samsung.com, bp@...en8.de, dougthompson@...ssion.com
Cc:	linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org,
	elliott@....com, tony.luck@...el.com,
	Toshi Kani <toshi.kani@....com>
Subject: [PATCH v2 2/2] EDAC: Fix sysfs dimm_label store operation

Sysfs "dimm_label" and "chX_dimm_label" have the following issues
in their store operation.

 1) A newline-terminated input string causes redundant newlines

  # echo "test" > /sys/bus/mc0/devices/dimm0/dimm_label
  # cat  /sys/bus/mc0/devices/dimm0/dimm_label
  test

  #  od -bc /sys/bus/mc0/devices/dimm0/dimm_label
  0000000 164 145 163 164 012 012
            t   e   s   t  \n  \n
  0000006

 2) The original label string (31 characters) cannot be stored due to
    an improper size check

  # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0" \
  > /sys/bus/mc0/devices/dimm0/dimm_label
  # cat /sys/bus/mc0/devices/dimm0/dimm_label


  # od -bc /sys/bus/mc0/devices/dimm0/dimm_label
   0000000 012 012
            \n  \n
   0000002

 3) An input string longer than the buffer size results a wrong label
    info as it allows a retry with the remaining string.

  # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0_TEST" \
  > /sys/bus/mc0/devices/dimm0/dimm_label
  # cat  /sys/bus/mc0/devices/dimm0/dimm_label
  _TEST

Fix these issues by making the following changes:
 1) Replace a newline charactor at the end by setting a null. It also
    assures that the string is null-terminated within the size.
 2) Check the label buffer size with 'sizeof(dimm->label)'.
 3) Fail a request if its string exceeds the label buffer size.

Signed-off-by: Toshi Kani <toshi.kani@....com>
Acked-by: Tony Luck <tony.luck@...el.com>
Cc: Mauro Carvalho Chehab <mchehab@....samsung.com>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Doug Thompson <dougthompson@...ssion.com>
Cc: Robert Elliott <elliott@....com>
Cc: Tony Luck <tony.luck@...el.com>
---
 drivers/edac/edac_mc_sysfs.c |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
index 8983755..01ad279 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -241,13 +241,13 @@ static ssize_t channel_dimm_label_store(struct device *dev,
 	unsigned chan = to_channel(mattr);
 	struct rank_info *rank = csrow->channels[chan];
 
-	ssize_t max_size = 0;
+	if (count == 0 || count > sizeof(rank->dimm->label))
+		return -EINVAL;
 
-	max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1);
-	strncpy(rank->dimm->label, data, max_size);
-	rank->dimm->label[max_size] = '\0';
+	strncpy(rank->dimm->label, data, count);
+	rank->dimm->label[count - 1] = '\0';
 
-	return max_size;
+	return count;
 }
 
 /* show function for dynamic chX_ce_count attribute */
@@ -495,13 +495,13 @@ static ssize_t dimmdev_label_store(struct device *dev,
 {
 	struct dimm_info *dimm = to_dimm(dev);
 
-	ssize_t max_size = 0;
+	if (count == 0 || count > sizeof(dimm->label))
+		return -EINVAL;
 
-	max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1);
-	strncpy(dimm->label, data, max_size);
-	dimm->label[max_size] = '\0';
+	strncpy(dimm->label, data, count);
+	dimm->label[count - 1] = '\0';
 
-	return max_size;
+	return count;
 }
 
 static ssize_t dimmdev_size_show(struct device *dev,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ