lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Feb 2019 14:04:16 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Al Viro <viro@...iv.linux.org.uk>
cc:     Arthur Gautier <baloo@...di.net>,
        Andy Lutomirski <luto@...capital.net>,
        Jann Horn <jannh@...gle.com>,
        the arch/x86 maintainers <x86@...nel.org>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        kernel list <linux-kernel@...r.kernel.org>,
        Pascal Bouchareine <pascal@...di.net>
Subject: Re: [PATCH] x86: uaccess: fix regression in unsafe_get_user

On Sun, 17 Feb 2019, Al Viro wrote:
> On Sun, Feb 17, 2019 at 03:41:21AM +0000, Arthur Gautier wrote:
> Who says anything about changing the format of the file?  At least
> one trivial way to handle that would be this:
> 
> diff --git a/init/initramfs.c b/init/initramfs.c
> index 7cea802d00ef..edbddfb73106 100644
> --- a/init/initramfs.c
> +++ b/init/initramfs.c
> @@ -265,8 +265,12 @@ static int __init do_header(void)
>  		state = Collect;
>  		return 0;
>  	}
> -	if (S_ISREG(mode) || !body_len)
> -		read_into(name_buf, N_ALIGN(name_len), GotName);
> +	if (S_ISREG(mode) || !body_len) {
> +		collect = collected = name_buf;
> +		remains = N_ALIGN(name_len);
> +		next_state = GotName;
> +		state = Collect;
> +	}
>  	return 0;
>  }

That does not help much because that is exactly at the end of the
decompressed image and the decompressor is done. So nothing would collect
the remainder anymore.

> Another would be to have the buffer passed to flush_buffer() (i.e.
> the callback of decompress_fn) allocated with 4 bytes of padding
> past the part where the unpacked piece of data is placed for the
> callback to find.  As in,
> 
> diff --git a/lib/decompress_inflate.c b/lib/decompress_inflate.c
> index 63b4b7eee138..ca3f7ecc9b35 100644
> --- a/lib/decompress_inflate.c
> +++ b/lib/decompress_inflate.c
> @@ -48,7 +48,7 @@ STATIC int INIT __gunzip(unsigned char *buf, long len,
>  	rc = -1;
>  	if (flush) {
>  		out_len = 0x8000; /* 32 K */
> -		out_buf = malloc(out_len);
> +		out_buf = malloc(out_len + 4);

  +8 actually.

>  	} else {
>  		if (!out_len)
>  			out_len = ((size_t)~0) - (size_t)out_buf; /* no limit */
> 
> for gunzip/decompress and similar ones for bzip2, etc.  The contents
> layout doesn't have anything to do with that...

Right. That works nicely.

Thanks,

	tglx

Powered by blists - more mailing lists