lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1487198494.450076493@decadent.org.uk>
Date:   Wed, 15 Feb 2017 22:41:34 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org, "Liu Jing" <liujbjl@...ux.vnet.ibm.com>,
        "Sascha Silbe" <silbe@...ux.vnet.ibm.com>,
        "Yang Chen" <bjcyang@...ux.vnet.ibm.com>,
        "Martin Schwidefsky" <schwidefsky@...ibm.com>
Subject: [PATCH 3.2 034/126] s390/con3270: fix use of uninitialised data

3.2.85-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sascha Silbe <silbe@...ux.vnet.ibm.com>

commit c14f2aac7aa147861793eed9f41f91dd530f0be1 upstream.

con3270 contains an optimisation that reduces the amount of data to be
transmitted to the 3270 terminal by putting a Repeat to Address (RA)
order into the data stream. The RA order itself takes up space, so
con3270 only uses it if there's enough space left in the line
buffer. Otherwise it just pads out the line manually.

For lines too long to include the RA order, one byte was left
uninitialised. This was caused by an off-by-one bug in the loop that
pads out the line. Since the buffer is allocated from a common pool,
the single byte left uninitialised contained some previous buffer
content. Usually this was just a space or some character (which can
result in clutter but is otherwise harmless). Sometimes, however, it
was a Repeat to Address order, messing up the entire screen layout and
causing the display to send the entire buffer content on every
keystroke.

Fixes: f51320a5 ("[PATCH] s390: new 3270 driver.") (tglx/history.git)
Reported-by: Liu Jing <liujbjl@...ux.vnet.ibm.com>
Tested-by: Jing Liu <liujbjl@...ux.vnet.ibm.com>
Tested-by: Yang Chen <bjcyang@...ux.vnet.ibm.com>
Signed-off-by: Sascha Silbe <silbe@...ux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@...ibm.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 drivers/s390/char/con3270.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/s390/char/con3270.c
+++ b/drivers/s390/char/con3270.c
@@ -456,7 +456,7 @@ con3270_cline_end(struct con3270 *cp)
 		s->string[s->len - 4] = TO_RA;
 		s->string[s->len - 1] = 0;
 	} else {
-		while (--size > cp->cline->len)
+		while (--size >= cp->cline->len)
 			s->string[size] = cp->view.ascebc[' '];
 	}
 	/* Replace cline with allocated line s and reset cline. */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ