lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 13 Aug 2020 19:38:18 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Masami Hiramatsu <mhiramat@...nel.org>
Subject: Re: [PATCH] bootconfig: Fix off-by-one in
 xbc_node_compose_key_after()

On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <rostedt@...dmis.org> wrote:

> From: Steven Rostedt (VMware) <rostedt@...dmis.org>
> 
> While reviewing some patches for bootconfig, I noticed the following
> code in xbc_node_compose_key_after():
> 
> 	ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node),
> 		       depth ? "." : "");
> 	if (ret < 0)
> 		return ret;
> 	if (ret > size) {
> 		size = 0;
> 	} else {
> 		size -= ret;
> 		buf += ret;
> 	}
> 
> But snprintf() returns the number of bytes that would be written, not
> the number of bytes that are written (ignoring the nul terminator).
> This means that if the number of non null bytes written were to equal
> size, then the nul byte, which snprintf() always adds, will overwrite
> that last byte.
> 
> 	ret = snprintf(buf, 5, "hello");
> 	printf("buf = '%s'\n", buf);
> 	printf("ret = %d\n", ret);
> 
> produces:
> 
> 	buf = 'hell'
> 	ret = 5
> 
> The string was truncated without ret being greater than 5.
> Test (ret >= size) for overwrite.

What are the end-user visible effects of the bug?  IOW, why cc:stable?


Powered by blists - more mailing lists