lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1527056531-9568-1-git-send-email-nmanthey@amazon.de>
Date:   Wed, 23 May 2018 08:22:04 +0200
From:   Norbert Manthey <nmanthey@...zon.de>
To:     unlisted-recipients:; (no To-header on input)
CC:     Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        <stable@...r.kernel.org>, Norbert Manthey <nmanthey@...zon.de>,
        Alex Deucher <alexander.deucher@....com>,
        Christian König <christian.koenig@....com>,
        "David (ChunMing) Zhou" <David1.Zhou@....com>,
        David Airlie <airlied@...ux.ie>,
        Harry Wentland <harry.wentland@....com>,
        Tony Cheng <tony.cheng@....com>,
        Yongqiang Sun <yongqiang.sun@....com>,
        Anthony Koo <Anthony.Koo@....com>,
        Michel Dänzer <michel.daenzer@....com>,
        Dmytro Laktyushkin <Dmytro.Laktyushkin@....com>,
        Jordan Lazare <Jordan.Lazare@....com>,
        "Colin Ian King" <colin.king@...onical.com>,
        <amd-gfx@...ts.freedesktop.org>, <dri-devel@...ts.freedesktop.org>,
        <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] drm: fix off-by-one in logger

The current implementation will leak a byte to the log via memmove. The
specified 27 bytes are off-by-one, as the payload is 25 bytes, and the
termination character is only one byte large. To avoid this, factor out
the error message, and furthermore make the second parameter of the
append_entry function const.

The full trace is as follows:

In function ‘memmove’,
   from ‘append_entry’ at
        drivers/gpu/drm/amd/display/dc/basics/logger.c:257:2,
   from ‘dm_logger_append_va’ at
        drivers/gpu/drm/amd/display/dc/basics/logger.c:348:4
   detected read beyond size of object passed as 2nd parameter

Signed-off-by: Norbert Manthey <nmanthey@...zon.de>
---
 drivers/gpu/drm/amd/display/dc/basics/logger.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/basics/logger.c b/drivers/gpu/drm/amd/display/dc/basics/logger.c
index 31bee05..6ba8d0c 100644
--- a/drivers/gpu/drm/amd/display/dc/basics/logger.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/logger.c
@@ -244,7 +244,7 @@ static void log_heading(struct log_entry *entry)
 
 static void append_entry(
 		struct log_entry *entry,
-		char *buffer,
+		const char *buffer,
 		uint32_t buf_size)
 {
 	if (!entry->buf ||
@@ -346,7 +346,9 @@ void dm_logger_append_va(
 		if (size < LOG_MAX_LINE_SIZE - 1) {
 			append_entry(entry, buffer, size);
 		} else {
-			append_entry(entry, "LOG_ERROR, line too long\n", 27);
+			static const char msg[] = "LOG_ERROR, line too long\n";
+
+			append_entry(entry, msg, sizeof(msg));
 		}
 	}
 }
-- 
2.7.4

Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ