| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1518784656.7876.36.camel@infradead.org>
Date: Fri, 16 Feb 2018 12:37:36 +0000
From: David Woodhouse <dwmw2@...radead.org>
To: Norbert Manthey <nmanthey@...zon.de>,
amd-gfx@...ts.freedesktop.org,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Cc: Alex Deucher <alexander.deucher@....com>,
Christian König <christian.koenig@....com>,
"David (ChunMing) Zhou" <David1.Zhou@....com>,
David Airlie <airlied@...ux.ie>,
Harry Wentland <harry.wentland@....com>,
Tony Cheng <tony.cheng@....com>,
Yongqiang Sun <yongqiang.sun@....com>,
Aric Cyr <Aric.Cyr@....com>,
Colin Ian King <colin.king@...onical.com>,
Corbin McElhanney <corbin.mcelhanney@....com>,
Jordan Lazare <Jordan.Lazare@....com>,
Dmytro Laktyushkin <Dmytro.Laktyushkin@....com>,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drm: fix off-by-one in logger
On Fri, 2018-02-16 at 10:43 +0100, Norbert Manthey wrote:
> The current implementation will leak a byte to the log via memmove. The
> specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
> termination character is only one byte large. To avoid this, factor out
> the error message, and furthermore make the second parameter of the
> append_entry function const.
>
> Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
>
> The full trace is as follows:
>
> In function ‘memmove’,
> from ‘append_entry’ at
> drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
> from ‘dm_logger_append_va’ at
> drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
> detected read beyond size of object passed as 2nd parameter
>
> Signed-off-by: Norbert Manthey <nmanthey@...zon.de>
That same code exists in a different form in at least 4.15 so
Cc: stable@...r.kernel.org
> Cc: Alex Deucher <alexander.deucher@....com>
> Cc: "Christian König" <christian.koenig@....com>
> Cc: "David (ChunMing) Zhou" <David1.Zhou@....com>
> Cc: David Airlie <airlied@...ux.ie>
> Cc: Harry Wentland <harry.wentland@....com>
> Cc: Tony Cheng <tony.cheng@....com>
> Cc: Yongqiang Sun <yongqiang.sun@....com>
> Cc: Aric Cyr <Aric.Cyr@....com>
> Cc: Colin Ian King <colin.king@...onical.com>
> Cc: Corbin McElhanney <corbin.mcelhanney@....com>
> Cc: Jordan Lazare <Jordan.Lazare@....com>
> Cc: Dmytro Laktyushkin <Dmytro.Laktyushkin@....com>
> Cc: amd-gfx@...ts.freedesktop.org
> Cc: dri-devel@...ts.freedesktop.org
> Cc: linux-kernel@...r.kernel.org
>
> ---
> drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> index 180a9d6..958070c 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
> @@ -243,7 +243,7 @@ static void log_heading(struct log_entry *entry)
>
> static void append_entry(
> struct log_entry *entry,
> - char *buffer,
> + const char *buffer,
> uint32_t buf_size)
> {
> if (!entry->buf ||
> @@ -345,7 +345,9 @@ void dm_logger_append_va(
> if (size < LOG_MAX_LINE_SIZE - 1) {
> append_entry(entry, buffer, size);
> } else {
> - append_entry(entry, "LOG_ERROR, line too long\n", 27);
> + static const char msg[] = "LOG_ERROR, line too long\n";
> +
> + append_entry(entry, msg, sizeof(msg));
> }
> }
> }
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)
Powered by blists - more mailing lists