| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Apr 2024 22:59:26 +0800
From: Yuntao Wang <ytcoode@...il.com>
To: mhiramat@...nel.org
Cc: akpm@...ux-foundation.org,
arnd@...db.de,
christophe.leroy@...roup.eu,
geert@...ux-m68k.org,
jpoimboe@...nel.org,
kjlx@...pleofstupid.com,
linux-kernel@...r.kernel.org,
ndesaulniers@...gle.com,
peterz@...radead.org,
rppt@...nel.org,
tglx@...utronix.de,
tj@...nel.org,
ytcoode@...il.com
Subject: Re: [PATCH] init/main.c: Fix potential static_command_line memory overflow
On Thu, 11 Apr 2024 23:29:01 +0900, Masami Hiramatsu (Google) <mhiramat@...nel.org> wrote:
> On Thu, 11 Apr 2024 09:23:47 +0200
> Geert Uytterhoeven <geert@...ux-m68k.org> wrote:
>
> > CC Hiramatsu-san
> >
> > On Thu, Apr 11, 2024 at 5:25 AM Yuntao Wang <ytcoode@...il.com> wrote:
> > > We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for
> > > static_command_line, but the strings copied into static_command_line are
> > > extra_command_line and command_line, rather than extra_command_line and
> > > boot_command_line.
> > >
> > > When strlen(command_line) > strlen(boot_command_line), static_command_line
> > > will overflow.
>
> Hi Yuntao,
>
> OK, but this is not a good way to fix.
> We should introduce "slen = strlen(command_line) + xlen + 1" and use it for
> allocating static_command_line.
Hi Masami,
But this would introduce an additional variable 'slen', which seems unnecessary.
In fact, we can use 'len' directly, this makes the code more concise.
> > >
> > > Fixes: f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()")
>
> As Mike pointed, this is not the best commit.
>
> Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
>
> Thank you,
I have reviewed the commit 51887d03aca1, but I don't think this commit introduced the issue.
I still think it was introduced by the f5c7310ac73e commit. Or perhaps I missed something?
> > > Signed-off-by: Yuntao Wang <ytcoode@...il.com>
> > > ---
> > > init/main.c | 8 +++++---
> > > 1 file changed, 5 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/init/main.c b/init/main.c
> > > index 2ca52474d0c3..a7b1f5f3e3b6 100644
> > > --- a/init/main.c
> > > +++ b/init/main.c
> > > @@ -625,11 +625,13 @@ static void __init setup_command_line(char *command_line)
> > > if (extra_init_args)
> > > ilen = strlen(extra_init_args) + 4; /* for " -- " */
> > >
> > > - len = xlen + strlen(boot_command_line) + 1;
> > > + len = xlen + strlen(boot_command_line) + ilen + 1;
> > >
> > > - saved_command_line = memblock_alloc(len + ilen, SMP_CACHE_BYTES);
> > > + saved_command_line = memblock_alloc(len, SMP_CACHE_BYTES);
> > > if (!saved_command_line)
> > > - panic("%s: Failed to allocate %zu bytes\n", __func__, len + ilen);
> > > + panic("%s: Failed to allocate %zu bytes\n", __func__, len);
> > > +
> > > + len = xlen + strlen(command_line) + 1;
> > >
> > > static_command_line = memblock_alloc(len, SMP_CACHE_BYTES);
> > > if (!static_command_line)
> >
> > Gr{oetje,eeting}s,
> >
> > Geert
> >
> > --
> > Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68korg
> >
> > In personal conversations with technical people, I call myself a hacker. But
> > when I'm talking to journalists I just say "programmer" or something like that.
> > -- Linus Torvalds
> >
>
>
> --
> Masami Hiramatsu (Google) <mhiramat@...nel.org>
Powered by blists - more mailing lists