lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <88009872-377b-4155-aceb-88d36f4a44e4@app.fastmail.com>
Date: Mon, 08 Apr 2024 21:20:25 +0200
From: "Arnd Bergmann" <arnd@...db.de>
To: "Dan Carpenter" <dan.carpenter@...aro.org>
Cc: "Arnd Bergmann" <arnd@...nel.org>, linux-kernel@...r.kernel.org,
 "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
 "Kees Cook" <keescook@...omium.org>, "Daniel Micay" <danielmicay@...il.com>,
 linux-staging@...ts.linux.dev
Subject: Re: [PATCH 03/11] staging: replace weird strncpy() with memcpy()

On Mon, Apr 8, 2024, at 17:59, Dan Carpenter wrote:
> On Mon, Apr 08, 2024 at 04:45:55PM +0200, Arnd Bergmann wrote:
>> On Thu, Mar 28, 2024, at 17:35, Dan Carpenter wrote:
>> >>  	if (sendbytes > 8) {
>> >>  		memcpy(buf, inquiry_buf, 8);
>> >> -		strncpy(buf + 8, inquiry_string, sendbytes - 8);
>> >> +		memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
>> >
>> > I think your math is off.  The string is 29 characters + NUL.  So it
>> > should be "min(sendbytes, 38) - 8".  You're chopping off the space and
>> > the NUL terminator.
>> >
>> > This only affects pro_formatter_flag code...
>> 
>> The extra two bytes were clearly a mistake in the original version
>> at the time it got added to drivers/staging. Note how the code
>> immediately below it would overwrite the space and NUL byte again:
>> 
>>         if (pro_formatter_flag) {
>>                 if (sendbytes > 36)
>>                         memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
>>         }
>> 
>
> Ah.  Okay.  Fair enough.
>
> I do think this code is really suspect...  What is the point of allowing
> sendbytes < 36?  But that's not related to your patch.

As far as I can tell, the driver tries to emulate the behavior
or normal scsi commands that could be issued from userspace through
SGIO with a short length. drivers/ata/libata-scsi.c has code to
handle INQUIRY as well that is somewhat similar but also different
enough that I don't trust the rts5208 version of it.

On a separate note, I just noticed that I forgot to put
the driver name into the subject line, which I've fixed
up for v2 as well now.

    Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ