lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACVxJT9A7YF-9GiXvUzkGDfjG8n4mXkRYTfQYdd6rgBSmqOJ-w@mail.gmail.com>
Date:   Tue, 28 Nov 2017 12:12:44 +0200
From:   Alexey Dobriyan <adobriyan@...il.com>
To:     Andrei Vagin <avagin@...tuozzo.com>
Cc:     akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        xemul@...tuozzo.com
Subject: Re: proc: fix /proc/*/map_files lookup

On 11/28/17, Andrei Vagin <avagin@...tuozzo.com> wrote:
> On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote:
>> Current code does:
>>
>> 	if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
>>
>> However sscanf() is broken garbage.
>>
>> It silently accepts whitespace between format specifiers
>> (did you know that?).
>>
>> It silently accepts valid strings which result in integer overflow.
>>
>> Do not use sscanf() for any even remotely reliable parsing code.
>
> This patch breaks criu, criu has one places where a file name is generated
> as map_files/%p-%p

> openat(1048572, "map_files/0x7f9912dd5000-0x7f9912de4000", O_RDWR) = -1

glibc prints null pointer as "(nil)", so %p is broken even if lookup is fixed.

> And this code worked before this patch and it doesn't work with this
> patch. And you have to know that we never break user-space programs ;)

OK :-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ