lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <c238ee65-30fb-a5b4-cff7-9adc8f12971c@ispras.ru>
Date: Mon, 8 Jan 2024 19:56:44 +0300
From: Alexey Khoroshilov <khoroshilov@...ras.ru>
To: Andrey Shumilin <shum.sdl@...ct.ru>,
 Sudip Mukherjee <sudipm.mukherjee@...il.com>
Cc: linux-kernel@...r.kernel.org,
 "lvc-project@...uxtesting.org" <lvc-project@...uxtesting.org>
Subject: Re: [PATCH 2/2] procfs.c: Increasing array size

On 16.11.2023 10:05, Andrey Shumilin wrote:
> The maximum size in bytes of the port->base and port->base_hi
> variables is 20 bytes per variable, since they are copied in
> decimal notation. Two more characters are \t and \n.
> A maximum of 42 bytes can be written to a buffer variable.

I would update subject and description like that:

paport: Fix potential buffer overflow in do_hardware_base_addr()

The maximum size after expansion for the "%lu\t%lu\n"
is 20+1+20+1+1 = 43 bytes, while buffer is of size 20 bytes.
So buffer overflow may happen.


Otherwise, looks good to me.

Reviewed-by: Alexey Khoroshilov <khoroshilov@...ras.ru>


> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Andrey Shumilin <shum.sdl@...ct.ru>
> ---
>  drivers/parport/procfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
> index bd388560ed59..9b894f7cb581 100644
> --- a/drivers/parport/procfs.c
> +++ b/drivers/parport/procfs.c
> @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
>  				 void *result, size_t *lenp, loff_t *ppos)
>  {
>  	struct parport *port = (struct parport *)table->extra1;
> -	char buffer[20];
> +	char buffer[44];
>  	int len = 0;
>  
>  	if (*ppos) {
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ