lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z-h2rOF2ulYAS3_j@grain>
Date: Sun, 30 Mar 2025 01:39:40 +0300
From: Cyrill Gorcunov <gorcunov@...il.com>
To: Jean Delvare <jdelvare@...e.de>
Cc: LKML <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] firmware: dmi: Respect buffer size in get_modalias

When we collect data from DMI info the "dmi" prefix is copied unconditionally
which may result in buffer overflow in case of filling uevent environment.
Thus lets use strscpy() helper instead. Same time make all get_modalias()
callers to handler error.

CC: Jean Delvare <jdelvare@...e.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com>
---
v2:
 - add comment about reserving space for suffix
 - check for error in callers

 drivers/firmware/dmi-id.c |   30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

Index: linux-tip.git/drivers/firmware/dmi-id.c
===================================================================
--- linux-tip.git.orig/drivers/firmware/dmi-id.c
+++ linux-tip.git/drivers/firmware/dmi-id.c
@@ -103,8 +103,15 @@ static ssize_t get_modalias(char *buffer
 	char *p;
 	const struct mafield *f;
 
-	strcpy(buffer, "dmi");
-	p = buffer + 3; left = buffer_size - 4;
+	l = strscpy(buffer, "dmi", buffer_size);
+	if (l < 0)
+		return -ENOMEM;
+	p = buffer + l;
+
+	/* Reserve place for suffix */
+	left = buffer_size - l - 1;
+	if (left < 0)
+		return -ENOMEM;
 
 	for (f = fields; f->prefix && left > 0; f++) {
 		const char *c;
@@ -125,20 +132,21 @@ static ssize_t get_modalias(char *buffer
 		left -= l;
 	}
 
-	p[0] = ':';
-	p[1] = 0;
+	*p++ = ':';
+	*p = 0;
 
-	return p - buffer + 1;
+	return p - buffer;
 }
 
 static ssize_t sys_dmi_modalias_show(struct device *dev,
 				     struct device_attribute *attr, char *page)
 {
-	ssize_t r;
-	r = get_modalias(page, PAGE_SIZE-1);
-	page[r] = '\n';
-	page[r+1] = 0;
-	return r+1;
+	ssize_t r = get_modalias(page, PAGE_SIZE-1);
+	if (r > 0) {
+		page[r++] = '\n';
+		page[r] = 0;
+	}
+	return r;
 }
 
 static struct device_attribute sys_dmi_modalias_attr =
@@ -163,7 +171,7 @@ static int dmi_dev_uevent(const struct d
 		return -ENOMEM;
 	len = get_modalias(&env->buf[env->buflen - 1],
 			   sizeof(env->buf) - env->buflen);
-	if (len >= (sizeof(env->buf) - env->buflen))
+	if (len < 0)
 		return -ENOMEM;
 	env->buflen += len;
 	return 0;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ