| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cd8135e4-2de5-48d7-a7de-65afb201b3fe@gmail.com>
Date: Thu, 19 Dec 2024 15:40:32 +0000
From: "Colin King (gmail)" <colin.i.king@...il.com>
To: Anand Jain <anand.jain@...cle.com>, David Sterba <dsterba@...e.com>
Cc: Chris Mason <clm@...com>, Josef Bacik <josef@...icpanda.com>,
"linux-btrfs@...r.kernel.org" <linux-btrfs@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: btrfs: add btrfs_read_policy_to_enum helper and refactor read,
policy store
Hi,
Static analysis on linux-next today has found a potential buffer
overflow in fs/btrfs/sysfs.c in function btrfs_read_policy_to_enum()
The strcpy to string param has no length checks on str and hence if str
is longer than param a buffer overflow on the stack occurs. This can
potentially occur when a user writes a long string to the btrfs sysfs
file read_policy via btrfs_read_policy_store()
int btrfs_read_policy_to_enum(const char *str, s64 *value)
{
char param[32] = {'\0'};
char *__maybe_unused value_str;
int index;
bool found = false;
if (!str || strlen(str) == 0)
return 0;
strcpy(param, str); /* issue here */
....
}
Colin
Powered by blists - more mailing lists