| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Dec 2021 19:52:58 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: Andreas Schwab <schwab@...ux-m68k.org>
Cc: geert@...ux-m68k.org, linux-m68k@...ts.linux-m68k.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] m68k/kernel: array out of bound access in process_uboot_commandline
But commandp[len -1] is used to add a zero-terminated. If we don't use
commandp[0]=0 in len == 0,
than commandp will not have a zero-terminated. I think strings may
make some errors beacause of this.
Thanks.
Andreas Schwab <schwab@...ux-m68k.org> 于2021年12月27日周一 17:19写道:
>
> On Dez 27 2021, Hangyu Hua wrote:
>
> > diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
> > index 928dbd33fc4a..05eca6f653b5 100644
> > --- a/arch/m68k/kernel/uboot.c
> > +++ b/arch/m68k/kernel/uboot.c
> > @@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size)
> > }
> >
> > parse_uboot_commandline(commandp, len);
> > - commandp[len - 1] = 0;
> > + if (len > 0)
> > + commandp[len - 1] = 0;
> > + else
> > + commandp[0] = 0;
>
> If len == 0 then even commandp[0] is OOB.
>
> --
> Andreas Schwab, schwab@...ux-m68k.org
> GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
> "And now for something completely different."
Powered by blists - more mailing lists