| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150924164830.GF3774@pd.tnic>
Date: Thu, 24 Sep 2015 18:48:30 +0200
From: Borislav Petkov <bp@...en8.de>
To: Toshi Kani <toshi.kani@....com>
Cc: mchehab@....samsung.com, dougthompson@...ssion.com,
linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org,
elliott@....com, tony.luck@...el.com
Subject: Re: [PATCH v2 2/2] EDAC: Fix sysfs dimm_label store operation
On Tue, Sep 22, 2015 at 08:58:03AM -0600, Toshi Kani wrote:
> Sysfs "dimm_label" and "chX_dimm_label" have the following issues
> in their store operation.
>
> 1) A newline-terminated input string causes redundant newlines
>
> # echo "test" > /sys/bus/mc0/devices/dimm0/dimm_label
> # cat /sys/bus/mc0/devices/dimm0/dimm_label
> test
>
> # od -bc /sys/bus/mc0/devices/dimm0/dimm_label
> 0000000 164 145 163 164 012 012
> t e s t \n \n
> 0000006
>
> 2) The original label string (31 characters) cannot be stored due to
> an improper size check
>
> # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0" \
> > /sys/bus/mc0/devices/dimm0/dimm_label
> # cat /sys/bus/mc0/devices/dimm0/dimm_label
>
>
> # od -bc /sys/bus/mc0/devices/dimm0/dimm_label
> 0000000 012 012
> \n \n
> 0000002
>
> 3) An input string longer than the buffer size results a wrong label
> info as it allows a retry with the remaining string.
>
> # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0_TEST" \
> > /sys/bus/mc0/devices/dimm0/dimm_label
> # cat /sys/bus/mc0/devices/dimm0/dimm_label
> _TEST
>
> Fix these issues by making the following changes:
> 1) Replace a newline charactor at the end by setting a null. It also
> assures that the string is null-terminated within the size.
> 2) Check the label buffer size with 'sizeof(dimm->label)'.
> 3) Fail a request if its string exceeds the label buffer size.
>
> Signed-off-by: Toshi Kani <toshi.kani@....com>
> Acked-by: Tony Luck <tony.luck@...el.com>
> Cc: Mauro Carvalho Chehab <mchehab@....samsung.com>
> Cc: Borislav Petkov <bp@...en8.de>
> Cc: Doug Thompson <dougthompson@...ssion.com>
> Cc: Robert Elliott <elliott@....com>
> Cc: Tony Luck <tony.luck@...el.com>
> ---
> drivers/edac/edac_mc_sysfs.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
...
> @@ -495,13 +495,13 @@ static ssize_t dimmdev_label_store(struct device *dev,
> {
> struct dimm_info *dimm = to_dimm(dev);
>
> - ssize_t max_size = 0;
> + if (count == 0 || count > sizeof(dimm->label))
> + return -EINVAL;
$ echo "" > /sys/bus/mc0/devices/dimm0/dimm_label
$ od -bc /sys/bus/mc0/devices/dimm0/dimm_label
0000000
$ cat /sys/bus/mc0/devices/dimm0/dimm_label
$
I don't think we want to allow empty labels. I guess something like this
(2 because there's also the additional "\n"):
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
index d4e0bff268d8..e52ba338334b 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -241,7 +241,7 @@ static ssize_t channel_dimm_label_store(struct device *dev,
unsigned chan = to_channel(mattr);
struct rank_info *rank = csrow->channels[chan];
- if (count == 0 || count > sizeof(rank->dimm->label))
+ if (count < 2 || count > sizeof(rank->dimm->label))
return -EINVAL;
strncpy(rank->dimm->label, data, count);
@@ -495,7 +495,7 @@ static ssize_t dimmdev_label_store(struct device *dev,
{
struct dimm_info *dimm = to_dimm(dev);
- if (count == 0 || count > sizeof(dimm->label))
+ if (count < 2 || count > sizeof(dimm->label))
return -EINVAL;
strncpy(dimm->label, data, count);
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists