lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7835ce311322434328099d3c9a22b0a5b281c6e4.camel@perches.com>
Date:   Sun, 26 Apr 2020 16:19:24 -0700
From:   Joe Perches <joe@...ches.com>
To:     Denis Efremov <efremov@...ux.com>, linux-block@...r.kernel.org
Cc:     Willy Tarreau <w@....eu>, Christoph Hellwig <hch@...radead.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 3/3] floppy: suppress UBSAN warning in
 setup_rw_floppy()

On Sun, 2020-04-26 at 16:07 +0300, Denis Efremov wrote:
> UBSAN: array-index-out-of-bounds in drivers/block/floppy.c:1521:45
> index 16 is out of range for type 'unsigned char [16]'
[]
> This out-of-bounds access is intentional. The command in struct
> floppy_raw_cmd may take up the space initially intended for the reply
> and the reply count. It is needed for long 82078 commands such as
> RESTORE, which takes 17 command bytes. Initial cmd size is not enough
> and since struct setup_rw_floppy is a part of uapi we check that
> cmd_count is in [0:16+1+16] in raw_cmd_copyin().
> 
> The patch adds union with original cmd,reply_count,reply fields and
> fullcmd field of equivalent size. The cmd accesses are turned to
> fullcmd where appropriate to suppress UBSAN warning.
[]
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
[]
> @@ -1072,7 +1072,7 @@ static void setup_DMA(void)
>  
>  		pr_info("zero dma transfer size:");
>  		for (i = 0; i < raw_cmd->cmd_count; i++)
> -			pr_cont("%x,", raw_cmd->cmd[i]);
> +			pr_cont("%x,", raw_cmd->fullcmd[i]);
>  		pr_cont("\n");

slightly unrelated trivia: perhaps better as:

		print_hex_dump(KERN_INFO, "zero dma transfer size: ",
			       DUMP_PREFIX_NONE, 16, 1,
			       raw_cmd->fullcmd, raw_cmd->cmd_count, false);

to avoid pr_cont use.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ