| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Feb 2019 13:06:17 +0200
From: Andy Shevchenko <andy.shevchenko@...il.com>
To: Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>
Cc: Petr Mladek <pmladek@...e.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"Tobin C . Harding" <me@...in.cc>, Joe Perches <joe@...ches.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Michal Hocko <mhocko@...e.cz>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v6 9/9] vsprintf: Avoid confusion between invalid address
and value
On Tue, Feb 19, 2019 at 5:07 AM Sergey Senozhatsky
<sergey.senozhatsky.work@...il.com> wrote:
> Suppose, in my driver I want to sprintf() IPv4 address. The longest
> possible address is 3 * 4 (%d%d%d) + 3 bytes (dots) + terminating NULL.
> E.g. 111.111.111.111
>
> So I can allocate a 16-bytes buffer (stack or slab) and accidentally
> do an %piS sprintf() on a corrupted in_addr struct:
>
> char buf[16];
> sprintf(buf, "%piS", in_addr);
>
> forcing sprintf() to write "(invalid address)" to a 16-bytes buffer,
> but the thing is - strlen("(invalid address)") > 16.
It would print as many characters as buffer allows. In your case above
the use of sprintf() is a bit fragile.
But yes, the error messages should not be longer than 8 / 16 bytes
depending on 32- or 64-bit build we have.
--
With Best Regards,
Andy Shevchenko
Powered by blists - more mailing lists