lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202308040103.1514A8C3CB@keescook>
Date:   Fri, 4 Aug 2023 01:10:21 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Yunlong Xing <yunlong.xing@...soc.com>
Cc:     tony.luck@...el.com, gpiccoli@...lia.com, joel@...lfernandes.org,
        enlin.mu@...soc.com, linux-hardening@...r.kernel.org,
        linux-kernel@...r.kernel.org, enlinmu@...il.com,
        yunlong.xing23@...il.com
Subject: Re: [PATCH 1/1] pstore/ram: Check member of buffers during the
 initialization phase of the pstore

On Tue, Aug 01, 2023 at 02:04:32PM +0800, Yunlong Xing wrote:
> From: Enlin Mu <enlin.mu@...soc.com>
> 
> The commit 30696378f68a("pstore/ram: Do not treat empty buffers as valid")
> would introduce the following issue:
> 
> When finding the buffer_size is zero, it would return directly.However, at
> the same time, if the buffer's start is a illegal value, the others would
> panic if access the buffer.

Which "others" do you mean?

> To avoid these happenning, check if the members are legal during the
> initialization phase of the pstore.
> 
> Fixes: 30696378f68a ("pstore/ram: Do not treat empty buffers as valid")
> Cc: stable@...r.kernel.org
> Signed-off-by: Enlin Mu <enlin.mu@...soc.com>
> ---
>  fs/pstore/ram_core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
> index 85aaf0fc6d7d..eb6df190d752 100644
> --- a/fs/pstore/ram_core.c
> +++ b/fs/pstore/ram_core.c
> @@ -519,7 +519,7 @@ static int persistent_ram_post_init(struct persistent_ram_zone *prz, u32 sig,
>  	sig ^= PERSISTENT_RAM_SIG;
>  
>  	if (prz->buffer->sig == sig) {
> -		if (buffer_size(prz) == 0) {
> +		if (buffer_size(prz) == 0 && buffer_start(prz) == 0) {
>  			pr_debug("found existing empty buffer\n");
>  			return 0;
>  		}

And in the case of "buffer_size(prz) == 0" but "buffer_start(prz) != 0",
this will be caught by:

                if (buffer_size(prz) > prz->buffer_size ||
                    buffer_start(prz) > buffer_size(prz)) {
                        pr_info("found existing invalid buffer, size %zu, start %zu\n",
                                buffer_size(prz), buffer_start(prz));
                        zap = true;
                }

i.e. it will be detected and zapped back to a sane state.

That sounds correct to me, though I wonder if reporting it as an
"invalid buffer" is inaccurate? Perhaps we should have a separate case:

		if (buffer_size(prz) == 0) {
			if (buffer_start(prz) == 0)
				pr_debug("found existing empty buffer\n");
			else {
				pr_debug("found existing empty buffer with non-zero start\n");
				zap = true;
			}
		} else if ...

What do you think?

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ