lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2024052933-extended-spender-fc41@gregkh>
Date: Wed, 29 May 2024 12:17:09 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: quic_zijuhu <quic_zijuhu@...cinc.com>
Cc: Dmitry Torokhov <dmitry.torokhov@...il.com>, rafael@...nel.org,
	akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH v2] kobject_uevent: Fix OOB access within
 zap_modalias_env()

On Wed, May 29, 2024 at 06:07:06PM +0800, quic_zijuhu wrote:
> On 5/29/2024 2:56 AM, Dmitry Torokhov wrote:
> > On Tue, May 28, 2024 at 11:19:07AM +0800, Zijun Hu wrote:
> >> zap_modalias_env() wrongly calculates size of memory block to move, so
> >> will cause OOB memory access issue if variable MODALIAS is not the last
> >> one within its @env parameter, fixed by correcting size to memmove.
> >>
> >> Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink")
> >> Cc: stable@...r.kernel.org
> >> Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
> >> ---
> >> V1 -> V2: Correct commit messages and add inline comments
> >>
> >> V1 discussion link:
> >> https://lore.kernel.org/lkml/0b916393-eb39-4467-9c99-ac1bc9746512@quicinc.com/T/#m8d80165294640dbac72f5c48d14b7ca4f097b5c7
> >>
> >>  lib/kobject_uevent.c | 17 ++++++++++++++++-
> >>  1 file changed, 16 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
> >> index 03b427e2707e..f22366be020c 100644
> >> --- a/lib/kobject_uevent.c
> >> +++ b/lib/kobject_uevent.c
> >> @@ -433,8 +433,23 @@ static void zap_modalias_env(struct kobj_uevent_env *env)
> >>  		len = strlen(env->envp[i]) + 1;
> >>  
> >>  		if (i != env->envp_idx - 1) {
> >> +			/* @env->envp[] contains pointers to @env->buf[]
> >> +			 * with @env->buflen elements, and we want to
> >> +			 * remove variable MODALIAS pointed by
> >> +			 * @env->envp[i] with length @len as shown below:
> >> +			 *
> >> +			 * 0          @env->buf[]      @env->buflen
> >> +			 * ----------------------------------------
> >> +			 *      ^              ^                  ^
> >> +			 *      |->   @len   <-|   target block   |
> >> +			 * @env->envp[i]  @env->envp[i+1]
> >> +			 *
> >> +			 * so the "target block" indicated above is moved
> >> +			 * backward by @len, and its right size is
> >> +			 * (@env->buf + @env->buflen - @env->envp[i + 1]).
> >> +			 */
> >>  			memmove(env->envp[i], env->envp[i + 1],
> >> -				env->buflen - len);
> >> +				env->buf + env->buflen - env->envp[i + 1]);
> > 
> > Thank you for noticing this, it is indeed a bug.
> > 
> > I wonder if this would not be expressed better as:
> > 
> > 			tail_len = env->buflen - (env->envp[i + 1] - env->envp[0]);
> > 			memmove(env->envp[i], env->envp[i + 1], tail_len);
> > 
> > and we would not need the large comment.
> >
> Greg KH suggests add inline comments since my fix is not obvious with
> first glance, let us wait for his comments within 2 days about below
> question:
> is it okay to remove those inline comments if block size to move is
> changed to env->buflen - (env->envp[i + 1] - env->envp[0]) ?

I'm all for making this simpler, please do so as Dmitry's response looks
better and easier to understand, don't you think?

And add comments, they are always good here for stuff like this :)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ