lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 9 Mar 2020 08:40:28 +0000
From:   Walter Harms <wharms@....de>
To:     Dan Carpenter <dan.carpenter@...cle.com>,
        "Tigran A. Aivazian" <aivazian.tigran@...il.com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: AW: [PATCH] bfs: prevent underflow in bfs_find_entry()


________________________________________
Von: kernel-janitors-owner@...r.kernel.org <kernel-janitors-owner@...r.kernel.org> im Auftrag von Dan Carpenter <dan.carpenter@...cle.com>
Gesendet: Samstag, 7. März 2020 07:08
An: Tigran A. Aivazian
Cc: linux-kernel@...r.kernel.org; kernel-janitors@...r.kernel.org
Betreff: [PATCH] bfs: prevent underflow in bfs_find_entry()

We check if "namelen" is larger than BFS_NAMELEN but we don't check
if it's less than zero so it causes a static checker.

    fs/bfs/dir.c:346 bfs_find_entry() warn: no lower bound on 'namelen'

It's nicer to make it unsigned anyway.

Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
 fs/bfs/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/bfs/dir.c b/fs/bfs/dir.c
index d8dfe3a0cb39..46a2663e5eb2 100644
--- a/fs/bfs/dir.c
+++ b/fs/bfs/dir.c
@@ -326,7 +326,7 @@ static struct buffer_head *bfs_find_entry(struct inode *dir,
        struct buffer_head *bh = NULL;
        struct bfs_dirent *de;
        const unsigned char *name = child->name;
-       int namelen = child->len;
+       unsigned int namelen = child->len;

        *res_dir = NULL;
        if (namelen > BFS_NAMELEN)

hi Dan,
the namelen usage is fishy. It goes into bfs_namecmp()
where it is checked for namelen < BFS_NAMELEN, leaving
only the case ==.
bfs_namecmp() expects an int, so i would expect a warning.
Perhaps in this case it is better to change the if() into

if ( namelen <= 0 ||  namelen >= BFS_NAMELEN)
 return NULL;

note:  bfs_add_entry has the same "issue"

jm2c,
re,
 wh

--
2.11.0

Powered by blists - more mailing lists