lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200414181812.GE14511@kadam>
Date:   Tue, 14 Apr 2020 21:32:18 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Joe Perches <joe@...ches.com>
Cc:     Camylla Goncalves Cantanheide <c.cantanheide@...il.com>,
        gregkh@...uxfoundation.org, navid.emamdoost@...il.com,
        sylphrenadin@...il.com, nishkadg.linux@...il.com,
        stephen@...nnan.io, devel@...verdev.osuosl.org,
        linux-kernel@...r.kernel.org, lkcamp@...ts.libreplanetbr.org
Subject: Re: [PATCH 1/2] staging: rtl8192u: Refactoring setKey function

On Tue, Apr 14, 2020 at 09:01:18AM -0700, Joe Perches wrote:
> On Tue, 2020-04-14 at 15:33 +0300, Dan Carpenter wrote:
> > On Mon, Apr 13, 2020 at 03:01:28AM +0000, Camylla Goncalves Cantanheide wrote:
> > > +
> > > +	for (i = 2; i < CAM_CONTENT_COUNT; i++) {
> > > +		write_nic_dword(dev, WCAMI, *keycontent++);
> > 
> > This code was wrong in the original as well, but now that I see the bug
> > let's fix it.  CAM_CONTENT_COUNT is 8.  8 - 2 = 6.  We are writing 6
> > u32 variables to write_nic_dword().  But the *keycontent buffer only has
> > 4 u32 variables so it is a buffer overflow.
> 
> Did you find the overflow with smatch?

No.  Smatch isn't smart enough to understand that *(keycontent + i - 2)
is an array overflow.  It thinks *(keycontent + i) is an array overflow
but the "- 2" confuses it.  Also Smatch isn't smart enough to parse the
*keycontent++.  It takes a shortcut when it parses loops.

To be honest, I just didn't like starting the loop from 2 and was trying
to see if there was a better define to use.

I agree that your solution of making the buffer larger is probably the
safest approach given that none of us really know the hardware.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ