lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 8 Nov 2017 18:30:08 +0000
From:   <Mario.Limonciello@...l.com>
To:     <sathyanarayanan.kuppuswamy@...ux.intel.com>, <arnd@...db.de>,
        <pali.rohar@...il.com>, <dvhart@...radead.org>,
        <andy@...radead.org>
CC:     <quasisec@...gle.com>, <hdegoede@...hat.com>,
        <platform-driver-x86@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] dell-smbios: fix string overflow



> -----Original Message-----
> From: sathyanarayanan kuppuswamy
> [mailto:sathyanarayanan.kuppuswamy@...ux.intel.com]
> Sent: Wednesday, November 8, 2017 12:23 PM
> To: Arnd Bergmann <arnd@...db.de>; Pali Rohár <pali.rohar@...il.com>;
> Limonciello, Mario <Mario_Limonciello@...l.com>; Darren Hart
> <dvhart@...radead.org>; Andy Shevchenko <andy@...radead.org>
> Cc: Edward O'Callaghan <quasisec@...gle.com>; Hans de Goede
> <hdegoede@...hat.com>; platform-driver-x86@...r.kernel.org; linux-
> kernel@...r.kernel.org
> Subject: Re: [PATCH] dell-smbios: fix string overflow
> 
> Hi,
> 
> I recommend using "platform/x86: dell-smbios:" in commit header.
> 
> On 11/08/2017 04:08 AM, Arnd Bergmann wrote:
> > The new sysfs code overwrites two fixed-length character arrays
> > that are each one byte shorter than they need to be, to hold
> > the trailing \0:
> >
> > drivers/platform/x86/dell-smbios.c: In function 'build_tokens_sysfs':
> > drivers/platform/x86/dell-smbios.c:494:42: error: 'sprintf' writing a terminating
> nul past the end of the destination [-Werror=format-overflow=]
> >     sprintf(buffer_location, "%04x_location",
> > drivers/platform/x86/dell-smbios.c:494:3: note: 'sprintf' output 14 bytes into a
> destination of size 13
> > drivers/platform/x86/dell-smbios.c:506:36: error: 'sprintf' writing a terminating
> nul past the end of the destination [-Werror=format-overflow=]
> >     sprintf(buffer_value, "%04x_value",
> > drivers/platform/x86/dell-smbios.c:506:3: note: 'sprintf' output 11 bytes into a
> destination of size 10
> Don't need to include the error log in commit message. Just explaining
> the issue is good enough.
> >
> > This changes it to just use kasprintf(), which always gets it right.
> >
> > Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for
> SMBIOS tokens")
> > Signed-off-by: Arnd Bergmann <arnd@...db.de>
> > ---
> >   drivers/platform/x86/dell-smbios.c | 12 ++++--------
> >   1 file changed, 4 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/platform/x86/dell-smbios.c b/drivers/platform/x86/dell-
> smbios.c
> > index d99edd803c19..6a60db515bda 100644
> > --- a/drivers/platform/x86/dell-smbios.c
> > +++ b/drivers/platform/x86/dell-smbios.c
> > @@ -463,8 +463,6 @@ static struct platform_driver platform_driver = {
> >
> >   static int build_tokens_sysfs(struct platform_device *dev)
> >   {
> > -	char buffer_location[13];
> > -	char buffer_value[10];
> >   	char *location_name;
> >   	char *value_name;
> >   	size_t size;
> > @@ -491,9 +489,8 @@ static int build_tokens_sysfs(struct platform_device
> *dev)
> >   		if (da_tokens[i].tokenID == 0)
> >   			continue;
> >   		/* add location */
> > -		sprintf(buffer_location, "%04x_location",
> > -			da_tokens[i].tokenID);
> > -		location_name = kstrdup(buffer_location, GFP_KERNEL);
> > +		location_name = kasprintf(GFP_KERNEL, "%04x_location",
> > +					  da_tokens[i].tokenID);
> >   		if (location_name == NULL)
> >   			goto out_unwind_strings;
> >   		sysfs_attr_init(&token_location_attrs[i].attr);
> > @@ -503,9 +500,8 @@ static int build_tokens_sysfs(struct platform_device
> *dev)
> >   		token_attrs[j++] = &token_location_attrs[i].attr;
> >
> >   		/* add value */
> > -		sprintf(buffer_value, "%04x_value",
> > -			da_tokens[i].tokenID);
> > -		value_name = kstrdup(buffer_value, GFP_KERNEL);
> > +		value_name = kasprintf(GFP_KERNEL, "%04x_value",
> > +				       da_tokens[i].tokenID);
> >   		if (value_name == NULL)
> >   			goto loop_fail_create_value;
> >   		sysfs_attr_init(&token_value_attrs[i].attr);
> 
> --

Arnd,

Assuming Darren will do the fixup for title and message as recommended by 
Sathyanarayanan before committing:
Acked-by: Mario Limonciello <mario.limonciello@...l.com>

Thanks, for the fix.  For my own information and improvement, would you 
share how you caught that?  Just added "-Werror=format-overflow=" to CFLAGS?
I wasn't seeing the compile errors with default flags in my own testing, so I'd like 
to make sure I'm doing better testing in the future.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ