| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Nov 2021 23:34:01 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: Ajay Garg <ajaygargnsit@...il.com>
Cc: Andy Shevchenko <andy.shevchenko@...il.com>,
Greg KH <gregkh@...uxfoundation.org>, jirislaby@...nel.org,
kernel@...il.dk, David Laight <David.Laight@...lab.com>,
"linux-serial@...r.kernel.org" <linux-serial@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] tty: vt: keyboard: do not copy an extra-byte in
copy_to_user
On 11/6/21 23:30, Ajay Garg wrote:
>> > 2.
>> > == Calculate the actual length of kbs, add 1, and then copy those many
>> > bytes to user-buffer ==
>> >
>> > ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
>> > -EFAULT : 0;
>> > =>
>> > ret = copy_to_user(user_kdgkb->kb_string, kbs, strlen(kbs) + 1) ?
>> > -EFAULT : 0;
>> >
>>
>> But isn't strlen(kbs) is guaranteed to be equal to strlcpy() return
>> value in this case? As I said in previous emails,
>> strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string) by design of
>> this function.
>
> That's the whole point of the discussion :)
>
> The method "vt_do_kdgkb_ioctl" does not manage "func_table[kb_func]".
> Thus, the method does not know whether or not
> strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string).
>
It manages. The code under `case KDSKBSENT:` sets func_table[] entries
via vt_kdskbsent().
kbs = strndup_user(..., sizeof(user_kdgkb->kb_string));
is used to allocate buffer for the func_table[] entry. That's my main
point :)
With regards,
Pavel Skripkin
Powered by blists - more mailing lists