| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <66e8ea9630d69b16fbffdc55d2cf77e0820ebcc3.camel@gmail.com>
Date: Wed, 07 May 2025 07:23:34 +0100
From: Nuno Sá <noname.nuno@...il.com>
To: David Lechner <dlechner@...libre.com>, Markus Burri
<markus.burri@...com>, linux-kernel@...r.kernel.org
Cc: Nuno Sa <nuno.sa@...log.com>, Olivier Moysan
<olivier.moysan@...s.st.com>, Jonathan Cameron <jic23@...nel.org>,
Lars-Peter Clausen <lars@...afoo.de>, linux-iio@...r.kernel.org, Markus
Burri <markus.burri@....ch>
Subject: Re: [PATCH v3] iio: backend: fix out-of-bound write
On Tue, 2025-05-06 at 12:00 -0500, David Lechner wrote:
> On 5/5/25 3:38 PM, Markus Burri wrote:
> > The buffer is set to 80 character. If a caller write more characters,
> > count is truncated to the max available space in "simple_write_to_buffer".
> > But afterwards a string terminator is written to the buffer at offset count
> > without boundary check. The zero termination is written OUT-OF-BOUND.
> >
> > Add a check that the given buffer is smaller then the buffer to prevent.
> >
> > Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer")
> > Signed-off-by: Markus Burri <markus.burri@...com>
> > ---
> > drivers/iio/industrialio-backend.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/iio/industrialio-backend.c b/drivers/iio/industrialio-
> > backend.c
> > index a43c8d1bb3d0..4a364e038449 100644
> > --- a/drivers/iio/industrialio-backend.c
> > +++ b/drivers/iio/industrialio-backend.c
> > @@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write_reg(struct file
> > *file,
> > ssize_t rc;
> > int ret;
> >
> > + if (count >= sizeof(buf) - 1)
>
> Isn't it OK if count == sizeof(buf) - 1? In other words, should be:
>
> if (count >= sizeof(buf))
Oh, indeed you're right. Sorry Mark! I was the one asking for it but I did not
realized the comparison was '>='. So I was thinking if (count > sizeof(buf) - 1)
which is pretty much if (count >= sizeof(buf))
Arghh... Maybe Jonathan can tweak this while applying so you do not have to spin
another version because of this.
- Nuno Sá
>
> > + return -ENOSPC;
> > +
> > rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
> > if (rc < 0)
> > return rc;
> >
> > - buf[count] = '\0';
> > + buf[rc] = '\0';
> >
> > ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);
> >
> >
> > base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
>
> It looks like we have the same or similar bugs in:
>
> drivers/accel/ivpu/ivpu_debugfs.c
> drivers/gpio/gpio-virtuser.c
> drivers/iio/industrialio-core.c
> drivers/iio/dac/ad3552r-hs.c
>
> Do you plan to fix these as well?
Powered by blists - more mailing lists