| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DB9PR10MB58811C7FBE7EB0600151A6D8E0C69@DB9PR10MB5881.EURPRD10.PROD.OUTLOOK.COM>
Date: Mon, 9 May 2022 10:55:26 +0000
From: "Starke, Daniel" <daniel.starke@...mens.com>
To: Jiri Slaby <jirislaby@...nel.org>,
"linux-serial@...r.kernel.org" <linux-serial@...r.kernel.org>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 1/3] tty: n_gsm: fix buffer over-read in gsm_dlci_data()
> On 04. 05. 22, 10:17, D. Starke wrote:
> > From: Daniel Starke <daniel.starke@...mens.com>
> >
> > 'len' is decreased after each octet that has its EA bit set to 0,
> > which means that the value is encoded with additional octets. However,
> > the final octet does not decreases 'len' which results in 'len' being
> > one byte too long. A buffer over-read may occur in
> > tty_insert_flip_string() as it tries to read one byte more than the passed content size of 'data'.
> > Decrease 'len' also for the final octet which has the EA bit set to 1
> > to write the correct number of bytes from the internal receive buffer
> > to the virtual tty.
> >
> > Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push")
>
> That commit barely introduced the problem.
You are right. It was introduced in
commit e1eaea46bb40 ("tty: n_gsm line discipline")
This patch was already included in the tty-linus branch. Shall I resubmit it nevertheless?
Best regards,
Daniel Starke
Powered by blists - more mailing lists