| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jan 2016 18:16:14 +0000
From: "Luck, Tony" <tony.luck@...el.com>
To: Matt Fleming <matt@...eblueprint.co.uk>
CC: Insu Yun <wuninsu@...il.com>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"taesoo@...ech.edu" <taesoo@...ech.edu>,
"yeongjin.jang@...ech.edu" <yeongjin.jang@...ech.edu>,
"insu@...ech.edu" <insu@...ech.edu>,
"changwoo@...ech.edu" <changwoo@...ech.edu>
Subject: RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability
>> What about using:
>>
>> msg[len] = '\0';
>>
>> to guarantee NUL termination?
>
> But that may leave garbage bytes in 'rcd_decode_str' in the case where
> the string isn't as long as 'len'.
>
> How about memset()'ing the buffer to zero and deleting the NUL
> termination line?
Looks like overkill to me. We only use this function in two places:
if (cper_dimm_err_location(cmem, rcd_decode_str))
trace_seq_printf(p, "%s", rcd_decode_str);
if (cper_dimm_err_location(&cmem, rcd_decode_str))
printk("%s%s\n", pfx, rcd_decode_str);
Neither would care if there were garbage after the NUL and before the
end of the rcd_decode_str[] array.
This buffer isn't visible to user space, so we aren't leaking data by having
garbage bytes after the NUL.
-Tony
Powered by blists - more mailing lists