lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 13 Dec 2023 14:31:26 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Mark Brown <broonie@...nel.org>, Shuah Khan <shuah@...nel.org>,
        Haibo Xu <haibo1.xu@...el.com>,
        Andrew Jones <ajones@...tanamicro.com>,
        Anup Patel <anup@...infault.org>
Cc:     kvm@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH RESEND v3] KVM: selftests: Initialise dynamically
 allocated configuration names

On 12/11/23 14:08, Mark Brown wrote:
> When we dynamically generate a name for a configuration in get-reg-list
> we use strcat() to append to a buffer allocated using malloc() but we
> never initialise that buffer. Since malloc() offers no guarantees
> regarding the contents of the memory it returns this can lead to us
> corrupting, and likely overflowing, the buffer:
> 
>    vregs: PASS
>    vregs+pmu: PASS
>    sve: PASS
>    sve+pmu: PASS
>    vregs+pauth_address+pauth_generic: PASS
>    X�vr+gspauth_addre+spauth_generi+pmu: PASS
> 
> Initialise the buffer to an empty string to avoid this.

> diff --git a/tools/testing/selftests/kvm/get-reg-list.c b/tools/testing/selftests/kvm/get-reg-list.c
> index be7bf5224434..dd62a6976c0d 100644
> --- a/tools/testing/selftests/kvm/get-reg-list.c
> +++ b/tools/testing/selftests/kvm/get-reg-list.c
> @@ -67,6 +67,7 @@ static const char *config_name(struct vcpu_reg_list *c)
>   
>   	c->name = malloc(len);
>   
> +	c->name[0] = '\0';
>   	len = 0;
>   	for_each_sublist(c, s) {
>   		if (!strcmp(s->name, "base"))
>  			continue;
>  		strcat(c->name + len, s->name);

This can be fixed just by s/strcat/strcpy/, but there's also an ugly 
hidden assumption that for_each_sublist runs at least one iteration of 
the loop; otherwise, the loop ends with a c->name[-1] = '\0';

>                 len += strlen(s->name) + 1;
>                 c->name[len - 1] = '+';
>         }
>         c->name[len - 1] = '\0';

Now this *is* a bit academic, but it remains the fact that all the 
invariants are screwed up and while we're fixing it we might at least 
fix it well.

So let's make the invariant that c->name[0..len-1] is initialized.  Then 
every write is done with either strcpy of c->name[len++] = '...'.

> ---
> base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86
> change-id: 20231012-kvm-get-reg-list-str-init-76c8ed4e19d6
> 
> Best regards,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ