lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 25 Jul 2017 09:23:36 +0200
From:   Arnd Bergmann <arnd@...db.de>
To:     Andy Shevchenko <andy.shevchenko@...il.com>
Cc:     Darren Hart <dvhart@...radead.org>,
        Andy Shevchenko <andy@...radead.org>,
        Platform Driver <platform-driver-x86@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        gregkh <gregkh@...uxfoundation.org>
Subject: Re: [PATCH 2/2] platform/x86: alienware-wmi: fix format string
 overflow warning

On Mon, Jul 24, 2017 at 11:22 AM, Andy Shevchenko
<andy.shevchenko@...il.com> wrote:
> On Thu, Jul 20, 2017 at 7:00 PM, Arnd Bergmann <arnd@...db.de> wrote:
>> gcc points out a possible format string overflow for a large value of 'zone':
>>
>> drivers/platform/x86/alienware-wmi.c: In function 'alienware_wmi_init':
>> drivers/platform/x86/alienware-wmi.c:461:24: error: '%02X' directive writing between 2 and 8 bytes into a region of size 6 [-Werror=format-overflow=]
>>    sprintf(buffer, "zone%02X", i);
>>                         ^~~~
>> drivers/platform/x86/alienware-wmi.c:461:19: note: directive argument in the range [0, 2147483646]
>>    sprintf(buffer, "zone%02X", i);
>>                    ^~~~~~~~~~
>> drivers/platform/x86/alienware-wmi.c:461:3: note: 'sprintf' output between 7 and 13 bytes into a destination of size 10
>>
>> This replaces the 'int' variable with an 'u8' to make sure
>> it always fits, renaming the variable to 'zone' for clarity.
>>
>> Unfortunately, gcc-7.1.1 still warns about it with that change, which
>> seems to be unintended by the gcc developers. I have opened a bug
>> against gcc with a reduced test case. As a workaround, I also
>> change the format string to use "%02hhX", which shuts up the
>> warning in that version.
>>
>
> Thanks, pushed to testing with slight change (+ empty lines after u8
> zone; where it's applicable).
> I'm not going to move this to fixes queue since it looks to me not
> critical at all. Drop me a message if you think otherwise.

Sounds good, thanks! This instance is harmless, and the warning is now
globally disabled in stable kernels (and in mainline). I plan to send a patch
to re-enable the warning in mainline once all the other instances are
addressed.  I don't think that Greg will backport that patch, but if he does,
then he may need some additional 30 patches besides this one.

          Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ