| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Mar 2020 20:45:06 -0400
From: Gabriel Krisman Bertazi <krisman@...labora.com>
To: jdike@...toit.com
Cc: richard@....at, anton.ivanov@...bridgegreys.com,
linux-um@...ts.infradead.org, linux-kernel@...r.kernel.org,
Gabriel Krisman Bertazi <krisman@...labora.com>,
kernel@...labora.com, Martyn Welch <martyn.welch@...labora.com>
Subject: [PATCH 1/2] um: ubd: Prevent buffer overrun on command completion
On the hypervisor side, when completing commands and the pipe is full,
we retry writing only the entries that failed, by offsetting
io_req_buffer, but we don't reduce the number of bytes written, which
can cause a buffer overrun of io_req_buffer, and write garbage to the
pipe.
Cc: Martyn Welch <martyn.welch@...labora.com>
Signed-off-by: Gabriel Krisman Bertazi <krisman@...labora.com>
---
arch/um/drivers/ubd_kern.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c
index 6627d7c30f37..0f5d0a699a49 100644
--- a/arch/um/drivers/ubd_kern.c
+++ b/arch/um/drivers/ubd_kern.c
@@ -1606,7 +1606,9 @@ int io_thread(void *arg)
written = 0;
do {
- res = os_write_file(kernel_fd, ((char *) io_req_buffer) + written, n);
+ res = os_write_file(kernel_fd,
+ ((char *) io_req_buffer) + written,
+ n - written);
if (res >= 0) {
written += res;
}
--
2.25.0
Powered by blists - more mailing lists