lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bf75a685e8e94a90a84123122994592a505b8d02.camel@gmail.com>
Date: Tue, 06 May 2025 07:48:20 +0100
From: Nuno Sá <noname.nuno@...il.com>
To: Markus Burri <markus.burri@...com>, linux-kernel@...r.kernel.org
Cc: Nuno Sa <nuno.sa@...log.com>, Olivier Moysan
 <olivier.moysan@...s.st.com>,  Jonathan Cameron <jic23@...nel.org>,
 Lars-Peter Clausen <lars@...afoo.de>,  linux-iio@...r.kernel.org, Markus
 Burri <markus.burri@....ch>
Subject: Re: [PATCH v3] iio: backend: fix out-of-bound write

On Mon, 2025-05-05 at 22:38 +0200, Markus Burri wrote:
> The buffer is set to 80 character. If a caller write more characters,
> count is truncated to the max available space in "simple_write_to_buffer".
> But afterwards a string terminator is written to the buffer at offset count
> without boundary check. The zero termination is written OUT-OF-BOUND.
> 
> Add a check that the given buffer is smaller then the buffer to prevent.
> 
> Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer")
> Signed-off-by: Markus Burri <markus.burri@...com>
> ---

LGTM

Reviewed-by: Nuno Sá <nuno.sa@...log.com>

>  drivers/iio/industrialio-backend.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iio/industrialio-backend.c b/drivers/iio/industrialio-
> backend.c
> index a43c8d1bb3d0..4a364e038449 100644
> --- a/drivers/iio/industrialio-backend.c
> +++ b/drivers/iio/industrialio-backend.c
> @@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write_reg(struct file
> *file,
>  	ssize_t rc;
>  	int ret;
>  
> +	if (count >= sizeof(buf) - 1)
> +		return -ENOSPC;
> +
>  	rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
>  	if (rc < 0)
>  		return rc;
>  
> -	buf[count] = '\0';
> +	buf[rc] = '\0';

you could have mentioned this change in the commit message...

> 
>  	ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);
>  
> 
> base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ