| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Nov 2021 14:23:51 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: Ajay Garg <ajaygargnsit@...il.com>, linux-serial@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tty: vt: keyboard: do not copy an extra-byte in
copy_to_user
Hi, Ajay!
On 11/6/21 12:20, Ajay Garg wrote:
> Both (statically-allocated) "user_kdgkb->kb_string" and
> (dynamically-allocated) "kbs" are of length "len", so we must
> not copy more than "len" bytes.
>
> Signed-off-by: Ajay Garg <ajaygargnsit@...il.com>
> ---
> drivers/tty/vt/keyboard.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> index c7fbbcdcc346..dfef7de8a057 100644
> --- a/drivers/tty/vt/keyboard.c
> +++ b/drivers/tty/vt/keyboard.c
> @@ -2070,7 +2070,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
> len = strlcpy(kbs, func_table[kb_func] ? : "", len);
^^^^^^^^^
len is reinitialized here, i.e len passed to kmalloc and len passed to
copy_to_user() can be different.
strlcpy() returns strlen() of source string (2nd argument), that's why
we need +1 here to pass null byte to user.
Am I missing something?
> spin_unlock_irqrestore(&func_buf_lock, flags);
>
> - ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
> + ret = copy_to_user(user_kdgkb->kb_string, kbs, len) ?
> -EFAULT : 0;
>
> break;
>
With regards,
Pavel Skripkin
Powered by blists - more mailing lists