| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200107220349.1e7424f9@rorschach.local.home>
Date: Tue, 7 Jan 2020 22:03:49 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Masami Hiramatsu <mhiramat@...nel.org>
Cc: Frank Rowand <frowand.list@...il.com>,
Ingo Molnar <mingo@...hat.com>,
Randy Dunlap <rdunlap@...radead.org>,
Namhyung Kim <namhyung@...nel.org>,
Tim Bird <Tim.Bird@...y.com>, Jiri Olsa <jolsa@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Tom Zanussi <tom.zanussi@...ux.intel.com>,
Rob Herring <robh+dt@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Alexey Dobriyan <adobriyan@...il.com>,
Jonathan Corbet <corbet@....net>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 01/22] bootconfig: Add Extra Boot Config support
On Tue, 7 Jan 2020 20:59:45 -0500
Steven Rostedt <rostedt@...dmis.org> wrote:
>
> > +
> > +/*
> > + * Return delimiter or error, no node added. As same as lib/cmdline.c,
> > + * you can use " around spaces, but can't escape " for value.
> > + */
> > +static int __init __xbc_parse_value(char **__v, char **__n)
> > +{
> > + char *p, *v = *__v;
> > + int c, quotes = 0;
> > +
> > + v = skip_spaces(v);
> > + while (*v == '#') {
> > + v = skip_comment(v);
> > + v = skip_spaces(v);
> > + }
> > + if (*v == '"' || *v == '\'') {
> > + quotes = *v;
> > + v++;
> > + }
> > + p = v - 1;
> > + while ((c = *++p)) {
> > + if (!isprint(c) && !isspace(c))
> > + return xbc_parse_error("Non printable value", p);
> > + if (quotes) {
> > + if (c != quotes)
> > + continue;
> > + quotes = 0;
> > + *p++ = '\0';
> > + p = skip_spaces(p);
>
> Hmm, if p here == " \0" then skip_spaces() will make p == "\0"
>
> > + c = *p;
> > + if (c && !strchr(",;\n#}", c))
> > + return xbc_parse_error("No value delimiter", p);
> > + p++;
>
> Now p == one passed "\0" which is in unknown territory.
I like how you have patch 3 use this code. It makes it easy to test,
and valgrind pointed out that this is a bug. With a file that just
contained:
foo = "1"
I ran this:
$ valgrind -v --leak-check=full ./tools/bootconfig/bootconfig -a /tmp/boot-bad /tmp/initrd 2>/tmp/out
Which gave me this:
==18929== Invalid read of size 1
==18929== at 0x483FC02: strpbrk (vg_replace_strmem.c:1690)
==18929== by 0x40263C: xbc_init (bootconfig.c:724)
==18929== by 0x403162: apply_xbc (main.c:255)
==18929== by 0x403346: main (main.c:331)
==18929== Address 0x4a4e09f is 0 bytes after a block of size 15 alloc'd
==18929== at 0x483780B: malloc (vg_replace_malloc.c:309)
==18929== by 0x402B9D: load_xbc_fd (main.c:95)
==18929== by 0x402C87: load_xbc_file (main.c:120)
==18929== by 0x4030AC: apply_xbc (main.c:238)
==18929== by 0x403346: main (main.c:331)
Which proves this the issue as when I apply the patch below, this goes
away:
-- Steve
diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 7a7cdc45bf62..0793ef9f48b8 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -468,7 +468,8 @@ static int __init __xbc_parse_value(char **__v, char **__n)
c = *p;
if (c && !strchr(",;\n#}", c))
return xbc_parse_error("No value delimiter", p);
- p++;
+ if (*p)
+ p++;
break;
}
if (strchr(",;\n#}", c)) {
Powered by blists - more mailing lists