lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20151222225239.8E1DCA58@viggo.jf.intel.com>
Date:	Tue, 22 Dec 2015 14:52:39 -0800
From:	Dave Hansen <dave@...1.net>
To:	x86@...nel.org
Cc:	linux-kernel@...r.kernel.org, Dave Hansen <dave@...1.net>,
	dave.hansen@...ux.intel.com, bp@...e.de, hpa@...or.com,
	fenghua.yu@...el.com, yu-cheng.yu@...el.com
Subject: [PATCH 2/5] x86: fix early command-line parsing, when partial word match


From: Dave Hansen <dave.hansen@...ux.intel.com>

cmdline_find_option_bool() keeps track of position in two strings:
1. the command-line
2. the option we are searchign for in the command-line

We plow through each character in the command-line one at a time,
always moving forward.  We move forward in the option ('opptr')
when we match characters in 'cmdline'.  We reset the 'opptr' only
when we go in to the 'st_wordstart' state.

But, if we fail to match an option because we see a space (
state=st_wordcmp, *opptr='\0',c=' '), we set state='st_wordskip'
and 'break', moving to the next character.  But, that move to
the next character is the one *after* the ' '.  This means that
we will miss a 'st_wordstart' state.

For instance, if we have

	cmdline = "foo fool";

and are searching for "fool", we have:

	"fool"
opptr = ----^

	"foo fool"
c = --------^

We see that 'l' != ' ', set state=st_wordskip, break, and then
move 'c', so:

	"foo fool"
c = ---------^

and are still in state=st_wordskip.  We will stay in wordskip
until we have skipped "fool", thus missing the option we were
looking for.  This *only* happens when you have a partially-
matching word followed by a matching one.

To fix this, we always fall *into* the 'st_wordskip' state when
we set it.

Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Borislav Petkov <bp@...e.de>
Cc: H. Peter Anvin <hpa@...or.com>
Cc: linux-kernel@...r.kernel.org
Cc: fenghua.yu@...el.com
Cc: yu-cheng.yu@...el.com
---

 b/arch/x86/lib/cmdline.c |   18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff -puN arch/x86/lib/cmdline.c~x86-mid-option-match-command-line-parsing arch/x86/lib/cmdline.c
--- a/arch/x86/lib/cmdline.c~x86-mid-option-match-command-line-parsing	2015-12-22 11:56:59.047167827 -0800
+++ b/arch/x86/lib/cmdline.c	2015-12-22 11:56:59.050167962 -0800
@@ -72,18 +72,26 @@ int cmdline_find_option_bool(const char
 				 */
 				if (!c || myisspace(c))
 					return wstart;
-				else
-					state = st_wordskip;
+				/*
+				 * We hit the end of the option, but _not_
+				 * the end of a word on the cmdline.  Not
+				 * a match.
+				 */
 			} else if (!c) {
 				/*
 				 * Hit the NULL terminator on the end of
 				 * cmdline.
 				 */
 				return 0;
-			} else if (c != *opptr++) {
-				state = st_wordskip;
+			} else if (c == *opptr++) {
+				/*
+				 * We are currently matching, so continue
+				 * to the next character on the cmdline.
+				 */
+				break;
 			}
-			break;
+			state = st_wordskip;
+			/* fall through */
 
 		case st_wordskip:
 			if (!c)
_
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ