lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190119171550.GB12171@hacktheplanet>
Date:   Sat, 19 Jan 2019 12:15:50 -0500
From:   Scott Bauer <sbauer@...donthack.me>
To:     David Kozub <zub@...ux.fjfi.cvut.cz>
Cc:     linux-kernel@...r.kernel.org, axboe@...nel.dk, hch@...radead.org,
        jonathan.derrick@...el.com
Subject: Re: [PATCH v2 11/16] block: sed-opal: ioctl for writing to shadow mbr

On Thu, Jan 17, 2019 at 09:31:51PM +0000, David Kozub wrote:
 
> +static int write_shadow_mbr(struct opal_dev *dev, void *data)
> +{
> +	struct opal_shadow_mbr *shadow = data;
> +	const u8 __user *src;
> +	u8 *dst;
> +	size_t off = 0;
> +	u64 len;
> +	int err = 0;
> +
> +	/* do the actual transmission(s) */
> +	src = (u8 *) shadow->data;
> +	while (off < shadow->size) {
> +		err = cmd_start(dev, opaluid[OPAL_MBR], opalmethod[OPAL_SET]);
> +		add_token_u8(&err, dev, OPAL_STARTNAME);
> +		add_token_u8(&err, dev, OPAL_WHERE);
> +		add_token_u64(&err, dev, shadow->offset + off);
> +		add_token_u8(&err, dev, OPAL_ENDNAME);
> +
> +		add_token_u8(&err, dev, OPAL_STARTNAME);
> +		add_token_u8(&err, dev, OPAL_VALUES);
> +
> +		/*
> +		 * The bytestring header is either 1 or 2 bytes, so assume 2.
> +		 * There also needs to be enough space to accommodate the
> +		 * trailing OPAL_ENDNAME (1 byte) and tokens added by
> +		 * cmd_finalize.
> +		 */
> +		len = min(remaining_size(dev) - (2+1+CMD_FINALIZE_BYTES_NEEDED),
> +			  (size_t)(shadow->size - off));

What if remaining_size(dev) <  2 + 1 + CMD_FINALIZE_BYTES_NEEDED? If that's possible we
get min(UINT_MAX(ish) , some size larger than our remaining buffer) and that's not good.


> +		pr_debug("MBR: write bytes %zu+%llu/%llu\n",
> +			 off, len, shadow->size);
> +
> +		dst = add_bytestring_header(&err, dev, len);
> +		if (!dst)
> +			break;
> +		if (copy_from_user(dst, src + off, len))
> +			err = -EFAULT;
> -- 
> 2.20.1
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ