lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 05 Dec 2018 17:58:26 +0000
From:   Måns Rullgård <mans@...sr.com>
To:     Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
Cc:     linux-kernel <linux-kernel@...r.kernel.org>,
        Robert Abel <rabel@...ertabel.eu>,
        Geert Uytterhoeven <geert@...ux-m68k.org>,
        Willy Tarreau <w@....eu>,
        Andy Shevchenko <andy.shevchenko@...il.com>
Subject: Re: [PATCH] auxdisplay: charlcd: fix x/y command parsing

Miguel Ojeda <miguel.ojeda.sandonis@...il.com> writes:

> Hi Mans,
>
> [CC'ing a few people involved previously on this]
>
> On Wed, Dec 5, 2018 at 2:53 PM Mans Rullgard <mans@...sr.com> wrote:
>>
>> Commit b34050fadb86 ("auxdisplay: charlcd: Fix and clean up handling of
>> x/y commands") fixed some problems by rewriting the parsing code,
>> but also broke things further by removing the check for a complete
>> command before attempting to parse it.  As a result, parsing is
>> terminated at the first x or y character.
>
> Why is it necessary to check for ";" to be exactly at the end? Or, in
> other words, what requires it?
>
> If the syntax supported by parse_xy() is wrong for some reason, we
> should fix that (instead of adding a check before calling it).

Suppose the command "\e[Lx0y0;" is written to the device.  The
charlcd_write_char() function adds one character at a time to the escape
sequence buffer.  Once the 'L' has been seen, it calls
handle_lcd_special_code() after each additional character is added.  On
encountering the 'x' this function will attempt to parse the command
using parse_xy(), which fails since it is incomplete.  It is nonetheless
reported as processed, and the escape sequence is flushed.  The
remainder of the command (i.e. "0y0;") is then displayed as text.

Since parse_xy() can never return success (true) unless there is a
semicolon, it is pointless to call it until we have seen one.  With the
characters being added to the buffer one by one, it is enough to check
for semicolon at the end.

BTW, the parsing of this command has been broken since 3.2-rc1 due to
commit 129957069e6a.

-- 
Måns Rullgård

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ