| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210916091440.zk2qvdmldo6wkryi@wittgenstein>
Date: Thu, 16 Sep 2021 11:14:40 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: Vivek Goyal <vgoyal@...hat.com>
Cc: viro@...iv.linux.org.uk,
Linux fsdevel mailing list <linux-fsdevel@...r.kernel.org>,
linux kernel mailing list <linux-kernel@...r.kernel.org>,
Jan Kara <jack@...e.cz>, xu.xin16@....com.cn,
Christoph Hellwig <hch@...radead.org>, zhang.yunkai@....com.cn
Subject: Re: [PATCH] init/do_mounts.c: Harden split_fs_names() against buffer
overflow
On Wed, Sep 15, 2021 at 11:22:04AM -0400, Vivek Goyal wrote:
> split_fs_names() currently takes comma separated list of filesystems
> and converts it into individual filesystem strings. Pleaces these
> strings in the input buffer passed by caller and returns number of
> strings.
>
> If caller manages to pass input string bigger than buffer, then we
> can write beyond the buffer. Or if string just fits buffer, we will
> still write beyond the buffer as we append a '\0' byte at the end.
>
> Will be nice to pass size of input buffer to split_fs_names() and
> put enough checks in place so such buffer overrun possibilities
> do not occur.
>
> Hence this patch adds "size" parameter to split_fs_names() and makes
> sure we do not access memory beyond size. If input string "names"
> is larger than passed in buffer, input string will be truncated to
> fit in buffer.
>
> Reported-by: xu xin <xu.xin16@....com.cn>
> Signed-off-by: Vivek Goyal <vgoyal@...hat.com>
> ---
Strange but probably reasonable,
Acked-by: Christian Brauner <christian.brauner@...ntu.com>
Powered by blists - more mailing lists