| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241227230940.20894-1-v.shevtsov@maxima.ru>
Date: Fri, 27 Dec 2024 23:09:38 +0000
From: Vitaliy Shevtsov <v.shevtsov@...ima.ru>
To: Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>
CC: Vitaliy Shevtsov <v.shevtsov@...ima.ru>, Jason Gunthorpe <jgg@...pe.ca>,
Leon Romanovsky <leon@...nel.org>, Mitko Haralanov
<mitko.haralanov@...el.com>, Mike Marciniszyn <mike.marciniszyn@...el.com>,
Doug Ledford <dledford@...hat.com>, Don Hiatt <don.hiatt@...el.com>,
<linux-rdma@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<lvc-project@...uxtesting.org>
Subject: [PATCH] IB/hfi1: fix buffer underflow in fault injection code
[Why]
The fault injection code may have a buffer underflow, which may cause
memory corruption by writing a newline character before the base address of
the array. This can happen if the fault->opcodes bitmap is empty.
Since a file in debugfs is created with an empty bitmap, it is possible to
read the file before any set bits are written to it.
[How]
Fix this by checking that the size variable is greater than zero, otherwise
return zero as the number of bytes read.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery")
Signed-off-by: Vitaliy Shevtsov <v.shevtsov@...ima.ru>
---
drivers/infiniband/hw/hfi1/fault.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c
index ec9ee59fcf0c..2d87f9c8b89d 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -190,7 +190,8 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf,
bit = find_next_bit(fault->opcodes, bitsize, zero);
}
debugfs_file_put(file->f_path.dentry);
- data[size - 1] = '\n';
+ if (size)
+ data[size - 1] = '\n';
data[size] = '\0';
ret = simple_read_from_buffer(buf, len, pos, data, size);
free_data:
--
2.47.1
Powered by blists - more mailing lists