lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 31 Jul 2023 16:24:26 -0700
From:   Bjorn Andersson <andersson@...nel.org>
To:     Praveenkumar I <quic_ipkumar@...cinc.com>
Cc:     agross@...nel.org, konrad.dybcio@...aro.org,
        linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
        quic_varada@...cinc.com, quic_clew@...cinc.com
Subject: Re: [PATCH v2] soc: qcom: qmi_encdec: Restrict string length in
 decode

On Mon, Jul 31, 2023 at 03:33:11PM +0530, Praveenkumar I wrote:
> The QMI TLV value for strings in a lot of qmi element info structures
> account for null terminated strings with MAX_LEN + 1. If a string is
> actually MAX_LEN + 1 length, this will cause an out of bounds access
> when the NULL character is appended in decoding.
> 
> Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
> Cc: stable@...r.kernel.org
> Signed-off-by: Chris Lew <quic_clew@...cinc.com>
> Signed-off-by: Praveenkumar I <quic_ipkumar@...cinc.com>

The signed-off-by list says that Chris certified the patch's origin
first, then you took it, certified the origin and submitted it to the
mailing list.

This matches reality, but you lost Chris' authorship in the process,
please add that back.

Thanks,
Bjorn

> ---
> [v2]:
> 	Added Fixes and Cc: stable
> 
>  drivers/soc/qcom/qmi_encdec.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c
> index b7158e3c3a0b..5c7161b18b72 100644
> --- a/drivers/soc/qcom/qmi_encdec.c
> +++ b/drivers/soc/qcom/qmi_encdec.c
> @@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array,
>  		decoded_bytes += rc;
>  	}
>  
> -	if (string_len > temp_ei->elem_len) {
> -		pr_err("%s: String len %d > Max Len %d\n",
> +	if (string_len >= temp_ei->elem_len) {
> +		pr_err("%s: String len %d >= Max Len %d\n",
>  		       __func__, string_len, temp_ei->elem_len);
>  		return -ETOOSMALL;
>  	} else if (string_len > tlv_len) {
> -- 
> 2.34.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ