lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 9 May 2022 10:55:26 +0000
From:   "Starke, Daniel" <daniel.starke@...mens.com>
To:     Jiri Slaby <jirislaby@...nel.org>,
        "linux-serial@...r.kernel.org" <linux-serial@...r.kernel.org>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 1/3] tty: n_gsm: fix buffer over-read in gsm_dlci_data()

> On 04. 05. 22, 10:17, D. Starke wrote:
> > From: Daniel Starke <daniel.starke@...mens.com>
> > 
> > 'len' is decreased after each octet that has its EA bit set to 0, 
> > which means that the value is encoded with additional octets. However, 
> > the final octet does not decreases 'len' which results in 'len' being 
> > one byte too long. A buffer over-read may occur in 
> > tty_insert_flip_string() as it tries to read one byte more than the passed content size of 'data'.
> > Decrease 'len' also for the final octet which has the EA bit set to 1 
> > to write the correct number of bytes from the internal receive buffer 
> > to the virtual tty.
> > 
> > Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push")
>
> That commit barely introduced the problem.

You are right. It was introduced in
commit e1eaea46bb40 ("tty: n_gsm line discipline")

This patch was already included in the tty-linus branch. Shall I resubmit it nevertheless?

Best regards,
Daniel Starke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ