lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1492589122.ncy876vm18.astroid@naverao1-tp.none>
Date:   Wed, 19 Apr 2017 08:08:40 +0000
From:   "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>
To:     David Laight <David.Laight@...LAB.COM>,
        Michael Ellerman <mpe@...erman.id.au>
Cc:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Ingo Molnar <mingo@...nel.org>
Subject: RE: [PATCH v2 1/5] kprobes: convert kprobe_lookup_name() to a
 function

Excerpts from David Laight's message of April 18, 2017 18:22:
> From: Naveen N. Rao
>> Sent: 12 April 2017 11:58
> ...
>> +kprobe_opcode_t *kprobe_lookup_name(const char *name)
>> +{
> ...
>> +	char dot_name[MODULE_NAME_LEN + 1 + KSYM_NAME_LEN];
>> +	const char *modsym;
>> +	bool dot_appended = false;
>> +	if ((modsym = strchr(name, ':')) != NULL) {
>> +		modsym++;
>> +		if (*modsym != '\0' && *modsym != '.') {
>> +			/* Convert to <module:.symbol> */
>> +			strncpy(dot_name, name, modsym - name);
>> +			dot_name[modsym - name] = '.';
>> +			dot_name[modsym - name + 1] = '\0';
>> +			strncat(dot_name, modsym,
>> +				sizeof(dot_name) - (modsym - name) - 2);
>> +			dot_appended = true;
> 
> If the ':' is 'a way down' name[] then although the strncpy() won't
> overrun dot_name[] the rest of the code can.

Nice catch, thanks David!
We need to be validating the length of 'name'. I'll put out a patch for 
that.

As an aside, I'm not sure I follow what you mean when you say that the 
strncpy() won't overrun dot_name[]. If we have a name[] longer than 
sizeof(dot_name) with the ':' after that, the strncpy() can also overrun 
dot_name[].


- Naveen

> 
> The strncat() call is particularly borked.
> 
> 	David
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ