lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250508130612.82270-1-markus.burri@mt.com>
Date: Thu,  8 May 2025 15:06:06 +0200
From: Markus Burri <markus.burri@...com>
To: linux-kernel@...r.kernel.org
Cc: Markus Burri <markus.burri@...com>,
	Mahesh J Salgaonkar <mahesh@...ux.ibm.com>,
	"Oliver O'Halloran" <oohall@...il.com>,
	Madhavan Srinivasan <maddy@...ux.ibm.com>,
	Michael Ellerman <mpe@...erman.id.au>,
	Nicholas Piggin <npiggin@...il.com>,
	Christophe Leroy <christophe.leroy@...roup.eu>,
	Naveen N Rao <naveen@...nel.org>,
	Jacek Lawrynowicz <jacek.lawrynowicz@...ux.intel.com>,
	Maciej Falkowski <maciej.falkowski@...ux.intel.com>,
	Oded Gabbay <ogabbay@...nel.org>,
	Linus Walleij <linus.walleij@...aro.org>,
	Bartosz Golaszewski <brgl@...ev.pl>,
	Nuno Sa <nuno.sa@...log.com>,
	Olivier Moysan <olivier.moysan@...s.st.com>,
	Jonathan Cameron <jic23@...nel.org>,
	Lars-Peter Clausen <lars@...afoo.de>,
	linuxppc-dev@...ts.ozlabs.org,
	dri-devel@...ts.freedesktop.org,
	linux-gpio@...r.kernel.org,
	linux-iio@...r.kernel.org,
	Markus Burri <markus.burri@....ch>
Subject: [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers

Several drivers are using debugfs and follow the same pattern.

A buffer is created on the stack with a limited size to copy the given data
from user space. The copy is performed using simple_write_to_buffer.
This function limits the input according to the specified buffer size, but
it does not write a string terminator if the buffer is truncated.
Therefore, the driver adds this zero terminator afterward.
Unfortunately, the original buffer size is used as an index, which can lead
to an out-of-bounds error.

This patch set fixes this issue in all the drivers I have detected so far.
The fix is to return an error in case of an unexpectedly long buffer being
received and to use the effective written size for the zero terminator for 
consistency.

Changes in V4:
* Revert the decrement of accepted size by one character
* Added patches for drivers with the same pattern

Changes in V3:
* Decrement accepted size by one character according to feedback

Changes in V2:
* Use effective written size as index instead of original size

---
[V3] https://lore.kernel.org/lkml/20250505203830.5117-1-markus.burri@mt.com/
[V2] https://lore.kernel.org/lkml/20250505045346.29647-1-markus.burri@mt.com/
[V1] https://lore.kernel.org/lkml/20250501063240.25295-1-markus.burri@mt.com/

Markus Burri (6):
  iio: backend: fix out-of-bound write
  accel/ivpu: Use effective buffer size for zero terminator
  iio: fix potential out-of-bound write
  gpio: fix potential out-of-bound write
  powerpc/eeh: fix potential OoB
  powerpc/eeh-powernv: fix potential OoB

 arch/powerpc/kernel/eeh.c                    |  7 ++++++-
 arch/powerpc/platforms/powernv/eeh-powernv.c |  7 ++++++-
 drivers/accel/ivpu/ivpu_debugfs.c            |  2 +-
 drivers/gpio/gpio-virtuser.c                 | 12 ++++++++++--
 drivers/iio/industrialio-backend.c           |  5 ++++-
 drivers/iio/industrialio-core.c              |  5 ++++-
 6 files changed, 31 insertions(+), 7 deletions(-)


base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ