| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 May 2024 12:17:09 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: quic_zijuhu <quic_zijuhu@...cinc.com>
Cc: Dmitry Torokhov <dmitry.torokhov@...il.com>, rafael@...nel.org,
akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH v2] kobject_uevent: Fix OOB access within
zap_modalias_env()
On Wed, May 29, 2024 at 06:07:06PM +0800, quic_zijuhu wrote:
> On 5/29/2024 2:56 AM, Dmitry Torokhov wrote:
> > On Tue, May 28, 2024 at 11:19:07AM +0800, Zijun Hu wrote:
> >> zap_modalias_env() wrongly calculates size of memory block to move, so
> >> will cause OOB memory access issue if variable MODALIAS is not the last
> >> one within its @env parameter, fixed by correcting size to memmove.
> >>
> >> Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink")
> >> Cc: stable@...r.kernel.org
> >> Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
> >> ---
> >> V1 -> V2: Correct commit messages and add inline comments
> >>
> >> V1 discussion link:
> >> https://lore.kernel.org/lkml/0b916393-eb39-4467-9c99-ac1bc9746512@quicinc.com/T/#m8d80165294640dbac72f5c48d14b7ca4f097b5c7
> >>
> >> lib/kobject_uevent.c | 17 ++++++++++++++++-
> >> 1 file changed, 16 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> >> index 03b427e2707e..f22366be020c 100644
> >> --- a/lib/kobject_uevent.c
> >> +++ b/lib/kobject_uevent.c
> >> @@ -433,8 +433,23 @@ static void zap_modalias_env(struct kobj_uevent_env *env)
> >> len = strlen(env->envp[i]) + 1;
> >>
> >> if (i != env->envp_idx - 1) {
> >> + /* @env->envp[] contains pointers to @env->buf[]
> >> + * with @env->buflen elements, and we want to
> >> + * remove variable MODALIAS pointed by
> >> + * @env->envp[i] with length @len as shown below:
> >> + *
> >> + * 0 @env->buf[] @env->buflen
> >> + * ----------------------------------------
> >> + * ^ ^ ^
> >> + * |-> @len <-| target block |
> >> + * @env->envp[i] @env->envp[i+1]
> >> + *
> >> + * so the "target block" indicated above is moved
> >> + * backward by @len, and its right size is
> >> + * (@env->buf + @env->buflen - @env->envp[i + 1]).
> >> + */
> >> memmove(env->envp[i], env->envp[i + 1],
> >> - env->buflen - len);
> >> + env->buf + env->buflen - env->envp[i + 1]);
> >
> > Thank you for noticing this, it is indeed a bug.
> >
> > I wonder if this would not be expressed better as:
> >
> > tail_len = env->buflen - (env->envp[i + 1] - env->envp[0]);
> > memmove(env->envp[i], env->envp[i + 1], tail_len);
> >
> > and we would not need the large comment.
> >
> Greg KH suggests add inline comments since my fix is not obvious with
> first glance, let us wait for his comments within 2 days about below
> question:
> is it okay to remove those inline comments if block size to move is
> changed to env->buflen - (env->envp[i + 1] - env->envp[0]) ?
I'm all for making this simpler, please do so as Dmitry's response looks
better and easier to understand, don't you think?
And add comments, they are always good here for stuff like this :)
thanks,
greg k-h
Powered by blists - more mailing lists