| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHp75VdHnvv6FH1BKcs8WgGF3nJpj77TsrmsQGBSpsAQU_S-bw@mail.gmail.com>
Date: Tue, 26 Apr 2022 12:37:08 +0200
From: Andy Shevchenko <andy.shevchenko@...il.com>
To: Mikulas Patocka <mpatocka@...hat.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Andy Shevchenko <andy@...nel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
device-mapper development <dm-devel@...hat.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Mike Snitzer <msnitzer@...hat.com>,
Milan Broz <gmazyland@...il.com>
Subject: Re: [PATCH] hex2bin: fix access beyond string end
On Sun, Apr 24, 2022 at 10:48 PM Mikulas Patocka <mpatocka@...hat.com> wrote:
>
> If we pass too short string to "hex2bin" (and the string size without the
> terminating NUL character is even), "hex2bin" reads one byte after the
> terminating NUL character. This patch fixes it.
>
> Signed-off-by: Mikulas Patocka <mpatocka@...hat.com>
> Cc: stable@...r.kernel.org
You need to provide a Fixes tag.
...
> while (count--) {
> - int hi = hex_to_bin(*src++);
> - int lo = hex_to_bin(*src++);
> + int hi, lo;
>
> - if ((hi < 0) || (lo < 0))
> + hi = hex_to_bin(*src++);
> + if (hi < 0)
> + return -EINVAL;
return hi;
> + lo = hex_to_bin(*src++);
> + if (lo < 0)
> return -EINVAL;
return lo;
> *dst++ = (hi << 4) | lo;
And on top of that it would be nice to understand if we need to
support half-bytes, but in any case it's not a scope of the patch
right now.
--
With Best Regards,
Andy Shevchenko
Powered by blists - more mailing lists