| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Sep 2015 13:06:04 -0600
From: Toshi Kani <toshi.kani@....com>
To: Borislav Petkov <bp@...en8.de>
Cc: mchehab@....samsung.com, dougthompson@...ssion.com,
linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org,
elliott@....com, tony.luck@...el.com
Subject: Re: [PATCH v2 2/2] EDAC: Fix sysfs dimm_label store operation
On Thu, 2015-09-24 at 18:48 +0200, Borislav Petkov wrote:
> On Tue, Sep 22, 2015 at 08:58:03AM -0600, Toshi Kani wrote:
> > Sysfs "dimm_label" and "chX_dimm_label" have the following issues
> > in their store operation.
> >
> > 1) A newline-terminated input string causes redundant newlines
> >
> > # echo "test" > /sys/bus/mc0/devices/dimm0/dimm_label
> > # cat /sys/bus/mc0/devices/dimm0/dimm_label
> > test
> >
> > # od -bc /sys/bus/mc0/devices/dimm0/dimm_label
> > 0000000 164 145 163 164 012 012
> > t e s t \n \n
> > 0000006
> >
> > 2) The original label string (31 characters) cannot be stored due to
> > an improper size check
> >
> > # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0" \
> > > /sys/bus/mc0/devices/dimm0/dimm_label
> > # cat /sys/bus/mc0/devices/dimm0/dimm_label
> >
> >
> > # od -bc /sys/bus/mc0/devices/dimm0/dimm_label
> > 0000000 012 012
> > \n \n
> > 0000002
> >
> > 3) An input string longer than the buffer size results a wrong label
> > info as it allows a retry with the remaining string.
> >
> > # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0_TEST" \
> > > /sys/bus/mc0/devices/dimm0/dimm_label
> > # cat /sys/bus/mc0/devices/dimm0/dimm_label
> > _TEST
> >
> > Fix these issues by making the following changes:
> > 1) Replace a newline charactor at the end by setting a null. It also
> > assures that the string is null-terminated within the size.
> > 2) Check the label buffer size with 'sizeof(dimm->label)'.
> > 3) Fail a request if its string exceeds the label buffer size.
> >
> > Signed-off-by: Toshi Kani <toshi.kani@....com>
> > Acked-by: Tony Luck <tony.luck@...el.com>
> > Cc: Mauro Carvalho Chehab <mchehab@....samsung.com>
> > Cc: Borislav Petkov <bp@...en8.de>
> > Cc: Doug Thompson <dougthompson@...ssion.com>
> > Cc: Robert Elliott <elliott@....com>
> > Cc: Tony Luck <tony.luck@...el.com>
> > ---
> > drivers/edac/edac_mc_sysfs.c | 20 ++++++++++----------
> > 1 file changed, 10 insertions(+), 10 deletions(-)
>
> ...
>
> > @@ -495,13 +495,13 @@ static ssize_t dimmdev_label_store(struct device *dev,
> > {
> > struct dimm_info *dimm = to_dimm(dev);
> >
> > - ssize_t max_size = 0;
> > + if (count == 0 || count > sizeof(dimm->label))
> > + return -EINVAL;
>
> $ echo "" > /sys/bus/mc0/devices/dimm0/dimm_label
> $ od -bc /sys/bus/mc0/devices/dimm0/dimm_label
> 0000000
> $ cat /sys/bus/mc0/devices/dimm0/dimm_label
> $
>
> I don't think we want to allow empty labels. I guess something like this
> (2 because there's also the additional "\n"):
edac-utils(1) checks empty labels and shows them as "ch%d" [1]. So,
I think empty labels are supported today, and using 'echo "" >' seems
to be a legitimate way to set them empty if desired.
While looking at the count check, though, I noticed that 'echo -n'
does not send a null-terminated string (hence, the count check needs
to take it into account) since it simply calls putchar() to send '1'
only in the example below. [2]
$ echo -n "1" | wc
0 1 1
Attached is updated patch that handles the 'echo -n' case properly.
When an input string is not null-terminated, it appends
'\0' to the
end as long as it fits into the label buffer.
Thanks,
-Toshi
[1] https://github.com/grondo/edac-utils/search?utf8=%E2%9C%93&q=dimm_label_valid&type=Code
[2] http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/echo.c
======
Subject: [PATCH v2 UPDATE 2/2] EDAC: Fix sysfs dimm_label store operation
Sysfs "dimm_label" and "chX_dimm_label" have the following issues
in their store operation.
1) A newline-terminated input string causes redundant newlines
# echo "test" > /sys/bus/mc0/devices/dimm0/dimm_label
# cat /sys/bus/mc0/devices/dimm0/dimm_label
test
# od -bc /sys/bus/mc0/devices/dimm0/dimm_label
0000000 164 145 163 164 012 012
t e s t \n \n
0000006
2) The original label string (31 characters) cannot be stored due to
an improper size check
# echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0" \
> /sys/bus/mc0/devices/dimm0/dimm_label
# cat /sys/bus/mc0/devices/dimm0/dimm_label
# od -bc /sys/bus/mc0/devices/dimm0/dimm_label
0000000 012 012
\n \n
0000002
3) An input string longer than the buffer size results a wrong label
info as it allows a retry with the remaining string.
# echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0_TEST" \
> /sys/bus/mc0/devices/dimm0/dimm_label
# cat /sys/bus/mc0/devices/dimm0/dimm_label
_TEST
Fix these issues by making the following changes:
1) Replace a newline character at the end by setting a null. It also
assures that the string is null-terminated in the label buffer.
2) Check the label buffer size with 'sizeof(dimm->label)'.
3) Fail a request if its string exceeds the label buffer size.
Signed-off-by: Toshi Kani <toshi.kani@....com>
Acked-by: Tony Luck <tony.luck@...el.com>
Cc: Mauro Carvalho Chehab <mchehab@....samsung.com>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Doug Thompson <dougthompson@...ssion.com>
Cc: Robert Elliott <elliott@....com>
Cc: Tony Luck <tony.luck@...el.com>
---
drivers/edac/edac_mc_sysfs.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
index 8983755..5252fb9 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -240,14 +240,21 @@ static ssize_t channel_dimm_label_store(struct device *dev,
struct csrow_info *csrow = to_csrow(dev);
unsigned chan = to_channel(mattr);
struct rank_info *rank = csrow->channels[chan];
+ size_t copy_count = count;
- ssize_t max_size = 0;
+ if (count == 0)
+ return -EINVAL;
+
+ if (data[count - 1] == '\0' || data[count - 1] == '\n')
+ copy_count -= 1;
- max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1);
- strncpy(rank->dimm->label, data, max_size);
- rank->dimm->label[max_size] = '\0';
+ if (copy_count >= sizeof(rank->dimm->label))
+ return -EINVAL;
- return max_size;
+ strncpy(rank->dimm->label, data, copy_count);
+ rank->dimm->label[copy_count] = '\0';
+
+ return count;
}
/* show function for dynamic chX_ce_count attribute */
@@ -494,14 +501,21 @@ static ssize_t dimmdev_label_store(struct device *dev,
size_t count)
{
struct dimm_info *dimm = to_dimm(dev);
+ size_t copy_count = count;
- ssize_t max_size = 0;
+ if (count == 0)
+ return -EINVAL;
+
+ if (data[count - 1] == '\0' || data[count - 1] == '\n')
+ copy_count -= 1;
- max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1);
- strncpy(dimm->label, data, max_size);
- dimm->label[max_size] = '\0';
+ if (copy_count >= sizeof(dimm->label))
+ return -EINVAL;
- return max_size;
+ strncpy(dimm->label, data, copy_count);
+ dimm->label[copy_count] = '\0';
+
+ return count;
}
static ssize_t dimmdev_size_show(struct device *dev,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists