lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <14931afb-903b-e7c6-5276-416dab5f08ed@gmail.com>
Date:   Fri, 26 Mar 2021 00:24:47 +0000
From:   Dmitry Safonov <0x7f454c46@...il.com>
To:     Cyrill Gorcunov <gorcunov@...il.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     Alexey Dobriyan <adobriyan@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Andrey Vagin <avagin@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v2] prctl: PR_SET_MM - unify copying of user's auvx

Hi Cyrill,

On 3/23/21 10:06 PM, Cyrill Gorcunov wrote:
[..]
> --- linux-tip.git.orig/kernel/sys.c
> +++ linux-tip.git/kernel/sys.c
> @@ -1961,6 +1961,30 @@ out:
>  	return error;
>  }
>  
> +static int copy_auxv_from_user(unsigned long *auxv, size_t auxv_size,
> +			       const void __user *addr, size_t len)
> +{
> +	BUG_ON(auxv_size != sizeof(current->mm->saved_auxv));

Nit:
size_t auxv_size = sizeof(user_auxv);
BUILD_BUG_ON(sizeof(user_auxv) != sizeof(current->mm->saved_auxv));

(to make it local variable instead of a parameter and get rid of a new
BUG_ON())

> +
> +	if (!addr || len > auxv_size)
> +		return -EINVAL;
> +
> +	memset(auxv, 0, auxv_size);
> +	if (len && copy_from_user(auxv, addr, len))
> +		return -EFAULT;
> +
> +	/*
> +	 * Specification requires the vector to be
> +	 * ended up with AT_NULL entry so user space
> +	 * will notice where to stop enumerating.
> +	 */
> +	if (len == auxv_size) {
> +		auxv[AT_VECTOR_SIZE - 2] = AT_NULL;
> +		auxv[AT_VECTOR_SIZE - 1] = AT_NULL;

I don't follow why it became conditional.
Perhaps, you meant that memset(0) above will zerofy it anyway, but in
case (len == auxv_size - 1) it won't work. Or I'm missing something
obvious :-)

Thanks,
           Dima

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ