lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 18 May 2023 10:37:05 +0800
From:   Xia Fukun <xiafukun@...wei.com>
To:     Greg KH <gregkh@...uxfoundation.org>
CC:     <prajnoha@...hat.com>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v6] kobject: Fix global-out-of-bounds in
 kobject_action_type()

On 2023/5/17 20:17, Greg KH wrote:
> On Wed, May 17, 2023 at 06:19:57PM +0800, Xia Fukun wrote:
>> --- a/include/linux/kobject.h
>> +++ b/include/linux/kobject.h
>> @@ -32,6 +32,9 @@
>>  #define UEVENT_NUM_ENVP			64	/* number of env pointers */
>>  #define UEVENT_BUFFER_SIZE		2048	/* buffer for the variables */
>>  
>> +/* the maximum length of the string contained in kobject_actions[] */
>> +#define UEVENT_KACT_STRSIZE		16
> 
> Why does this value need to be in a global .h file when it is only used
> in one .c file?
> 
> And how are you going to keep it in sync with kobject_actions if it
> changes in the future?  And that variable isn't even in this file, how
> would anyone know to modify this if the structure changes in a .c file?


Your criticism is correct. UEVENT_KACT_STRSIZE should not be defined
in the global .h file here. I will move it to that .c file.


>> --- a/lib/kobject_uevent.c
>> +++ b/lib/kobject_uevent.c
>> @@ -66,7 +66,8 @@ static int kobject_action_type(const char *buf, size_t count,
>>  	enum kobject_action action;
>>  	size_t count_first;
>>  	const char *args_start;
>> -	int ret = -EINVAL;
>> +	int i, ret = -EINVAL;
>> +	char kobj_act_buf[UEVENT_KACT_STRSIZE] = "";
> 
> Why does this need to be initialized?


My initialization method has some flaws, which should be done as follows:

char kobj_act_buf[UEVENT_KACT_STRSIZE] = {0};

Initialize the string kobj_act_buf to "/0" and parse it
using sysfs_match_string after subsequent copy operations.


> And are you sure the size is correct?  If so, how?

UEVENT_KACT_STRSIZE is defined as the maximum length of the string
contained in kobject_actions[].

At present, the maximum length of strings in this array is 7. Based on
the actual meaning of these strings, these actions will not exceed 16
if there are any subsequent changes.

> And how was any of this tested?  Based on your prior submissions, we are
> going to require some sort of proof.  What would you do if you were in
> my position?

My testing method is to apply the patch, compile the kernel image,
and start the QEMU virtual machine. Then compile and execute the code
mentioned in the patch that triggers out-of-bounds issues.

In addition, the following operations will be performed to verify the
functions mentioned by Peter Rajnoha <prajnoha@...hat.com>:

# echo "add fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed A=1 B=abc" >
/sys/block/ram0/uevent

# udevadm monitor --kernel --env
monitor will print the received events for:
KERNEL - the kernel uevent

KERNEL[189.376386] add      /devices/virtual/block/ram0 (block)
ACTION=add
DEVPATH=/devices/virtual/block/ram0
SUBSYSTEM=block
SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed
SYNTH_ARG_A=1
SYNTH_ARG_B=abc
DEVNAME=/dev/ram0
DEVTYPE=disk
DISKSEQ=14
SEQNUM=3781
MAJOR=1
MINOR=0

> thanks,
> 
> greg k-h

Thank you for your suggestion. My submission was indeed negligent,
and your guidance has benefited me greatly.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ