| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lsq.1465842997.276647610@decadent.org.uk>
Date: Mon, 13 Jun 2016 19:36:37 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org,
"Chris Wilson" <chris@...is-wilson.co.uk>,
"Matthew Garrett" <mjg59@...eos.com>,
"Peter Jones" <pjones@...hat.com>,
"Jani Nikula" <jani.nikula@...ux.intel.com>,
"Laszlo Ersek" <lersek@...hat.com>,
"Matt Fleming" <matt@...eblueprint.co.uk>,
"Jason Andryuk" <jandryuk@...il.com>
Subject: [PATCH 3.16 043/114] efi: Fix out-of-bounds read in
variable_matches()
3.16.36-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Laszlo Ersek <lersek@...hat.com>
commit 630ba0cc7a6dbafbdee43795617c872b35cde1b4 upstream.
The variable_matches() function can currently read "var_name[len]", for
example when:
- var_name[0] == 'a',
- len == 1
- match_name points to the NUL-terminated string "ab".
This function is supposed to accept "var_name" inputs that are not
NUL-terminated (hence the "len" parameter"). Document the function, and
access "var_name[*match]" only if "*match" is smaller than "len".
Reported-by: Chris Wilson <chris@...is-wilson.co.uk>
Signed-off-by: Laszlo Ersek <lersek@...hat.com>
Cc: Peter Jones <pjones@...hat.com>
Cc: Matthew Garrett <mjg59@...eos.com>
Cc: Jason Andryuk <jandryuk@...il.com>
Cc: Jani Nikula <jani.nikula@...ux.intel.com>
Link: http://thread.gmane.org/gmane.comp.freedesktop.xorg.drivers.intel/86906
Signed-off-by: Matt Fleming <matt@...eblueprint.co.uk>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
drivers/firmware/efi/vars.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
--- a/drivers/firmware/efi/vars.c
+++ b/drivers/firmware/efi/vars.c
@@ -202,29 +202,44 @@ static const struct variable_validate va
{ NULL_GUID, "", NULL },
};
+/*
+ * Check if @var_name matches the pattern given in @match_name.
+ *
+ * @var_name: an array of @len non-NUL characters.
+ * @match_name: a NUL-terminated pattern string, optionally ending in "*". A
+ * final "*" character matches any trailing characters @var_name,
+ * including the case when there are none left in @var_name.
+ * @match: on output, the number of non-wildcard characters in @match_name
+ * that @var_name matches, regardless of the return value.
+ * @return: whether @var_name fully matches @match_name.
+ */
static bool
variable_matches(const char *var_name, size_t len, const char *match_name,
int *match)
{
for (*match = 0; ; (*match)++) {
char c = match_name[*match];
- char u = var_name[*match];
- /* Wildcard in the matching name means we've matched */
- if (c == '*')
+ switch (c) {
+ case '*':
+ /* Wildcard in @match_name means we've matched. */
return true;
- /* Case sensitive match */
- if (!c && *match == len)
- return true;
-
- if (c != u)
+ case '\0':
+ /* @match_name has ended. Has @var_name too? */
+ return (*match == len);
+
+ default:
+ /*
+ * We've reached a non-wildcard char in @match_name.
+ * Continue only if there's an identical character in
+ * @var_name.
+ */
+ if (*match < len && c == var_name[*match])
+ continue;
return false;
-
- if (!c)
- return true;
+ }
}
- return true;
}
bool
Powered by blists - more mailing lists