lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <212f878e-1bbe-347c-ba43-e4ffb9b4afbe@linux.alibaba.com>
Date:   Wed, 29 Sep 2021 10:38:59 +0800
From:   Joseph Qi <joseph.qi@...ux.alibaba.com>
To:     Valentin Vidić <vvidic@...entin-vidic.from.hr>
Cc:     Mark Fasheh <mark@...heh.com>, Joel Becker <jlbec@...lplan.org>,
        ocfs2-devel@....oracle.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ocfs2: mount fails with buffer overflow in strlen

Okay, you are right, strlen(src) is indeed wrong here.

But please note that in strlcpy():
if (size) {
	size_t len = (ret >= size) ? size - 1 : ret;
	memcpy(dest, src, len);
	dest[len] = '\0';
}

Take ci_stack "o2cb" for example, strlen("o2cb") may return wrong if the
coming byte is not null, say it is 10.
The input size is 5, so len will finally be 4.
So dest is still correct ending with null byte. No overflow happens.
So the problem here is the wrong return value, but it is discarded in
ocfs2_initialize_super().

Thanks,
Joseph

On 9/28/21 9:14 PM, Valentin Vidić wrote:
> On Tue, Sep 28, 2021 at 08:05:22PM +0800, Joseph Qi wrote:
>> strlcpy in ocfs2_initialize_super() is introduced 8 years ago, so I
>> don't understand why you've mentioned that the issues starts from
>> v5.11.
> 
> v5.11 introduced the overflow checks to string functions so that is
> when the mount started to fail.
> 
>> osb->osb_cluster_stack and osb->osb_cluster_name is always larger by
>> 1 than which in ocfs2_cluster_info, and the input size of strlcpy does
>> the same, so I don't see how it overflows.
> 
> strlcpy internally calls strlen on the source argument, in this case
> that is ci_stack array with size of 4. That array stores the value
> "o2cb" so the strlen continues reading into the union until it reaches
> a zero byte somewhere. The same would happen with ci_cluster if the
> cluster name is long enough.
> 
> struct ocfs2_cluster_info {
> /*00*/	__u8   ci_stack[OCFS2_STACK_LABEL_LEN];
> 	union {
> 		__le32 ci_reserved;
> 		struct {
> 			__u8 ci_stackflags;
> 			__u8 ci_reserved1;
> 			__u8 ci_reserved2;
> 			__u8 ci_reserved3;
> 		};
> 	};
> /*08*/	__u8   ci_cluster[OCFS2_CLUSTER_NAME_LEN];
> /*18*/
> };
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ