lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 10 Oct 2023 08:46:31 +0300
From:   kirill.shutemov@...ux.intel.com
To:     Binbin Wu <binbin.wu@...ux.intel.com>
Cc:     dave.hansen@...ux.intel.com, luto@...nel.org, peterz@...radead.org,
        shuah@...nel.org, linux-kselftest@...r.kernel.org, x86@...nel.org,
        linux-kernel@...r.kernel.org, weihong.zhang@...el.com
Subject: Re: [PATCH] selftests/x86/lam: Zero out buffer for readlink()

On Tue, Oct 10, 2023 at 11:51:32AM +0800, Binbin Wu wrote:
> 
> 
> On 9/27/2023 7:02 PM, kirill.shutemov@...ux.intel.com wrote:
> > On Sun, Sep 24, 2023 at 07:33:46AM +0800, Binbin Wu wrote:
> > > Zero out the buffer for readlink() since readlink() does not append a
> > > terminating null byte to the buffer.
> > > 
> > > Fixes: 833c12ce0f430 ("selftests/x86/lam: Add inherit test cases for linear-address masking")
> > > 
> > > Signed-off-by: Binbin Wu <binbin.wu@...ux.intel.com>
> > > ---
> > >   tools/testing/selftests/x86/lam.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/tools/testing/selftests/x86/lam.c b/tools/testing/selftests/x86/lam.c
> > > index eb0e46905bf9..9f06942a8e25 100644
> > > --- a/tools/testing/selftests/x86/lam.c
> > > +++ b/tools/testing/selftests/x86/lam.c
> > > @@ -680,7 +680,7 @@ static int handle_execve(struct testcases *test)
> > >   		perror("Fork failed.");
> > >   		ret = 1;
> > >   	} else if (pid == 0) {
> > > -		char path[PATH_MAX];
> > > +		char path[PATH_MAX] = {0};
> > Shouldn't it be PATH_MAX+1 to handle the case when readlink(2) stores
> > exactly PATH_MAX bytes into the buffer?
> According to the definition of PATH_MAX in include/uapi/linux/limits.h
> #define PATH_MAX        4096    /* # chars in a path name including nul */
> 
> IIUC, Linux limits the path length to 4095 and PATH_MAX includes the
> terminating nul.

Consider the case when kernel bump PATH_MAX to 8192. The binary that
compiled from lam.c against the older kernel headers will get compromised.

Increase the size of the buffer by one or pass PATH_MAX - 1 as buffer size
to readlink(2).

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ