lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Y6CFma6PPcvJDGje@kroah.com>
Date:   Mon, 19 Dec 2022 16:39:05 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     "wanghai (M)" <wanghai38@...wei.com>
Cc:     Alice Chao <alice.chao@...iatek.com>, rafael@...nel.org,
        jesse.brandeburg@...el.com, anthony.l.nguyen@...el.com,
        intel-wired-lan@...ts.osuosl.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kobject: Fix slab-out-of-bounds in fill_kobj_path()

On Mon, Dec 19, 2022 at 11:27:58PM +0800, wanghai (M) wrote:
> Can I send v2 like this?
> 
> diff --git a/lib/kobject.c b/lib/kobject.c
> index a0b2dbfcfa23..3f97d903266a 100644
> --- a/lib/kobject.c
> +++ b/lib/kobject.c
> @@ -112,7 +112,7 @@ static int get_kobj_path_length(struct kobject *kobj)
>         return length;
>  }
> 
> -static void fill_kobj_path(struct kobject *kobj, char *path, int length)
> +static int fill_kobj_path(struct kobject *kobj, char *path, int length)
>  {
>         struct kobject *parent;
> 
> @@ -121,12 +121,16 @@ static void fill_kobj_path(struct kobject *kobj, char
> *path, int length)
>                 int cur = strlen(kobject_name(parent));
>                 /* back up enough to print this name with '/' */
>                 length -= cur;
> +               if (length <= 0)
> +                       return -EINVAL;
>                 memcpy(path + length, kobject_name(parent), cur);
>                 *(path + --length) = '/';
>         }
> 
>         pr_debug("kobject: '%s' (%p): %s: path = '%s'\n",
> kobject_name(kobj),
>                  kobj, __func__, path);
> +
> +       return 0;
>  }
> 
>  /**
> @@ -141,13 +145,17 @@ char *kobject_get_path(struct kobject *kobj, gfp_t
> gfp_mask)
>         char *path;
>         int len;
> 
> +retry:
>         len = get_kobj_path_length(kobj);
>         if (len == 0)
>                 return NULL;
>         path = kzalloc(len, gfp_mask);
>         if (!path)
>                 return NULL;
> -       fill_kobj_path(kobj, path, len);
> +       if (fill_kobj_path(kobj, path, len)) {
> +               kfree(path);
> +               goto retry;
> +       }

Much nicer, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ