| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Apr 2020 21:32:18 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Joe Perches <joe@...ches.com>
Cc: Camylla Goncalves Cantanheide <c.cantanheide@...il.com>,
gregkh@...uxfoundation.org, navid.emamdoost@...il.com,
sylphrenadin@...il.com, nishkadg.linux@...il.com,
stephen@...nnan.io, devel@...verdev.osuosl.org,
linux-kernel@...r.kernel.org, lkcamp@...ts.libreplanetbr.org
Subject: Re: [PATCH 1/2] staging: rtl8192u: Refactoring setKey function
On Tue, Apr 14, 2020 at 09:01:18AM -0700, Joe Perches wrote:
> On Tue, 2020-04-14 at 15:33 +0300, Dan Carpenter wrote:
> > On Mon, Apr 13, 2020 at 03:01:28AM +0000, Camylla Goncalves Cantanheide wrote:
> > > +
> > > + for (i = 2; i < CAM_CONTENT_COUNT; i++) {
> > > + write_nic_dword(dev, WCAMI, *keycontent++);
> >
> > This code was wrong in the original as well, but now that I see the bug
> > let's fix it. CAM_CONTENT_COUNT is 8. 8 - 2 = 6. We are writing 6
> > u32 variables to write_nic_dword(). But the *keycontent buffer only has
> > 4 u32 variables so it is a buffer overflow.
>
> Did you find the overflow with smatch?
No. Smatch isn't smart enough to understand that *(keycontent + i - 2)
is an array overflow. It thinks *(keycontent + i) is an array overflow
but the "- 2" confuses it. Also Smatch isn't smart enough to parse the
*keycontent++. It takes a shortcut when it parses loops.
To be honest, I just didn't like starting the loop from 2 and was trying
to see if there was a better define to use.
I agree that your solution of making the buffer larger is probably the
safest approach given that none of us really know the hardware.
regards,
dan carpenter
Powered by blists - more mailing lists