lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 22 Sep 2020 10:08:20 +0200
From:   Petr Mladek <pmladek@...e.com>
To:     Jim Cromie <jim.cromie@...il.com>
Cc:     jbaron@...mai.com, gregkh@...uxfoundation.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] dyndbg: dont panic over bad input

On Mon 2020-09-21 13:04:32, Jim Cromie wrote:
> This BUG_ON, from 2009, caught the impossible case of a word-char both
> starting and ending a string (loosely speaking).  A bad (reverted)
> patch finally hit this case, but even "impossibly bad input" is no
> reason to panic the kernel.  Instead pr_err and return -EINVAL.
> 
> Reported-by: Petr Mladek <pmladek@...e.com>
> Signed-off-by: Jim Cromie <jim.cromie@...il.com>
> ---
>  lib/dynamic_debug.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
> index 2d4dfd44b0fa5..90ddf07ce34fe 100644
> --- a/lib/dynamic_debug.c
> +++ b/lib/dynamic_debug.c
> @@ -259,7 +259,10 @@ static int ddebug_tokenize(char *buf, char *words[], int maxwords)
>  		} else {
>  			for (end = buf; *end && !isspace(*end); end++)
>  				;
> -			BUG_ON(end == buf);
> +			if (end == buf) {
> +				pr_err("expected non-empty bareword");
> +				return -EINVAL;

My understanding is that the BUG_ON() was there to catch eventual bugs
in the algorithm.

IMHO, it was never reachable in the original code:

   1. The following lines will skip all spaces and bail out
      when we reached the trailing '\0':

		buf = skip_spaces(buf);
		if (!*buf)
			break;	/* oh, it was trailing whitespace */


   2. The following code will find the end of a quoted text:

		if (*buf == '"' || *buf == '\'') {
			int quote = *buf++;
			for (end = buf; *end && *end != quote; end++)


    3. The else part will find end of non-quoted word:

		} else {
			for (end = buf; *end && !isspace(*end); end++)

    4. The BUG_ON() will trigger when the above cycle reached the
       trailing '\0' or space.

       This will never happen because this situation was caught
       in the 1st step.


Your patch triggered the BUG_ON() because it wanted to handle
'=' as a special character and was incomplete.

If you want to handle '=' special way. You need to do it the same way
as with the space. You need to skip it in 1st step. And it must mark
the end of the word in 4th step.

But it will be more complicated. You must be able to handle
mix of spaces and '='. I mean the following situations:

    word=word
    word =word
    word= word
    word = word
    word = = word   /* failure ? */


Back to the BUG_ON(). It might be changed to something like:

	pr_err("Internal error when parsing dynamic debug query\n");
	return -EINVAL;


Best Regards,
Petr

Powered by blists - more mailing lists