| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Oct 2018 08:21:19 -0700
From: Bart Van Assche <bvanassche@....org>
To: Kyungtae Kim <kt0755@...il.com>, Jens Axboe <axboe@...nel.dk>
Cc: jikos@...nel.org, Byoungyoung Lee <lifeasageek@...il.com>,
DaeRyong Jeong <threeearcat@...il.com>,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] floppy: Avoid memory access beyond the array bounds in
setup_rw_floppy()
On Fri, 2018-10-26 at 10:39 -0400, Kyungtae Kim wrote:
> setup_rw_floppy() writes some bytes of array cmd to the floppy disk
> controller, depending on cmd_count.
> Although the size of array cmd is fixed like 16, cmd_count can be much
> larger through raw_cmd_ioctl().
> Noticed there is no bound check for this, thereby leading to invalid
> memory access.
Against which kernel tree did you prepare this patch? Just above the code
you want to insert I found the following:
if (ptr->cmd_count > 33) ...
Why does that statement compare cmd_count with 33? Is that comparison correct
or not? Anyway, I don't think it makes sense first to compare cmd_count against
33 and next to compare it against 16 ...
> + if (ptr->cmd_count > ARRAY_SIZE(ptr->cmd))
> + return -EINVAL;
This comparison looks suspicious to me. Almost every comparison of the type
"... > ARRAY_SIZE()" I have seen so far was wrong and should be changed into
"... >= ARRAY_SIZE()" instead.
Bart.
Powered by blists - more mailing lists