lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Aug 2020 23:04:06 -0400
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Masami Hiramatsu <mhiramat@...nel.org>
Subject: Re: [PATCH] bootconfig: Fix off-by-one in
 xbc_node_compose_key_after()

On Thu, 13 Aug 2020 19:38:18 -0700
Andrew Morton <akpm@...ux-foundation.org> wrote:

> On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <rostedt@...dmis.org> wrote:
> 
> > From: Steven Rostedt (VMware) <rostedt@...dmis.org>
> > 
> > While reviewing some patches for bootconfig, I noticed the following
> > code in xbc_node_compose_key_after():
> > 
> > 	ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node),
> > 		       depth ? "." : "");
> > 	if (ret < 0)
> > 		return ret;
> > 	if (ret > size) {
> > 		size = 0;
> > 	} else {
> > 		size -= ret;
> > 		buf += ret;
> > 	}
> > 
> > But snprintf() returns the number of bytes that would be written, not
> > the number of bytes that are written (ignoring the nul terminator).
> > This means that if the number of non null bytes written were to equal
> > size, then the nul byte, which snprintf() always adds, will overwrite
> > that last byte.
> > 
> > 	ret = snprintf(buf, 5, "hello");
> > 	printf("buf = '%s'\n", buf);
> > 	printf("ret = %d\n", ret);
> > 
> > produces:
> > 
> > 	buf = 'hell'
> > 	ret = 5
> > 
> > The string was truncated without ret being greater than 5.
> > Test (ret >= size) for overwrite.  
> 
> What are the end-user visible effects of the bug?  IOW, why cc:stable?
> 

Hmm, looking at it at a wider view, it may not be an issue. The tools
code calls this code, and I looked to see if it was possible to corrupt
the buffer by an incorrect size. But now that I'm looking at the else
part of the section, it may not be a problem as it may act the same.

That is, ret == size will make size = 0 with the size -= ret, and we
get the same result.

OK, you can drop the patch. Thanks for the review!

Although, there's no error message if the buffer is not big enough to
hold the fields.

Masami?

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ