lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <a0fdfd97-d3e2-3299-0d1c-df13158e799a@samsung.com>
Date:   Fri, 20 Mar 2020 14:35:32 +0100
From:   Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
To:     Dominik 'disconnect3d' Czarnota <dominik.b.czarnota@...il.com>
Cc:     Antonino Daplas <adaplas@...il.com>, linux-fbdev@...r.kernel.org,
        dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Fix off by one in nvidia driver strncpy size arg


On 3/9/20 1:49 PM, Dominik 'disconnect3d' Czarnota wrote:
> From: disconnect3d <dominik.b.czarnota@...il.com>
> 
> This patch fixes an off-by-one error in strncpy size argument in
> drivers/video/fbdev/nvidia/nvidia.c. The issue is that in:
> 
>         strncmp(this_opt, "noaccel", 6)
> 
> the passed string literal: "noaccel" has 7 bytes (without the NULL byte)
> and the passed size argument is 6. As a result, the logic will also
> match/accept string "noacce" or "noacceX".
> 
> This bug doesn't seem to have any security impact since its present in
> the driver's setup and just accepts slighty changed string to enable the
> `noaccel` flag.
> 
> Signed-off-by: disconnect3d <dominik.b.czarnota@...il.com>

Patch looks fine but please fix 'From:' and 'S-o-b:' lines,

per Documentation/process/submitting-patches.rst:

...
then you just add a line saying::

        Signed-off-by: Random J Developer <random@...eloper.example.org>

using your real name (sorry, no pseudonyms or anonymous contributions.)
...

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics

> ---
> 
> Notes:
>     The bug could also be fixed by changing the size argument to
>     `sizeof("string literal")-1` but I am not proposing this change as that
>     would have to be changed in other places.
>     
>     There are also more cases like this in kernel sources which I
>     reported/will report soon.
>     
>     This bug has been found by running a massive grep-like search using
>     Google's BigQuery on GitHub repositories data. I am also going to work
>     on a CodeQL/Semmle query to be able to find more sophisticated cases
>     like this that can't be found via grepping.
> 
>  drivers/video/fbdev/nvidia/nvidia.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
> index c583c018304d..b77efeb33477 100644
> --- a/drivers/video/fbdev/nvidia/nvidia.c
> +++ b/drivers/video/fbdev/nvidia/nvidia.c
> @@ -1470,7 +1470,7 @@ static int nvidiafb_setup(char *options)
>  			flatpanel = 1;
>  		} else if (!strncmp(this_opt, "hwcur", 5)) {
>  			hwcur = 1;
> -		} else if (!strncmp(this_opt, "noaccel", 6)) {
> +		} else if (!strncmp(this_opt, "noaccel", 7)) {
>  			noaccel = 1;
>  		} else if (!strncmp(this_opt, "noscale", 7)) {
>  			noscale = 1;
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ