lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250525102331.46a4d778@jic23-huawei>
Date: Sun, 25 May 2025 10:23:31 +0100
From: Jonathan Cameron <jic23@...nel.org>
To: Markus Burri <markus.burri@...com>
Cc: linux-kernel@...r.kernel.org, Mahesh J Salgaonkar
 <mahesh@...ux.ibm.com>, "Oliver O'Halloran" <oohall@...il.com>, Madhavan
 Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>,
 Nicholas Piggin <npiggin@...il.com>, Christophe Leroy
 <christophe.leroy@...roup.eu>, Naveen N Rao <naveen@...nel.org>, Jacek
 Lawrynowicz <jacek.lawrynowicz@...ux.intel.com>, Maciej Falkowski
 <maciej.falkowski@...ux.intel.com>, Oded Gabbay <ogabbay@...nel.org>, Linus
 Walleij <linus.walleij@...aro.org>, Bartosz Golaszewski <brgl@...ev.pl>,
 Nuno Sa <nuno.sa@...log.com>, Olivier Moysan <olivier.moysan@...s.st.com>,
 Lars-Peter Clausen <lars@...afoo.de>, linuxppc-dev@...ts.ozlabs.org,
 dri-devel@...ts.freedesktop.org, linux-gpio@...r.kernel.org,
 linux-iio@...r.kernel.org, Markus Burri <markus.burri@....ch>
Subject: Re: [PATCH v4 3/6] iio: fix potential out-of-bound write

On Thu,  8 May 2025 15:06:09 +0200
Markus Burri <markus.burri@...com> wrote:

> The buffer is set to 20 characters. If a caller write more characters,
> count is truncated to the max available space in "simple_write_to_buffer".
> To protect from OoB access, check that the input size fit into buffer and
> add a zero terminator after copy to the end of the copied data.
> 
> Signed-off-by: Markus Burri <markus.burri@...com>
> ---
Applied to the fixes-togreg branch of iio.git.

I'd still like some more eyes on this if anyone has time though as
experience teaches me that subtle tweaks to string manipulation end
conditions are easy places to make mistakes!

I'll not be pushing out as non rebasing until I rebase on rc1 anyway
so we have time.

Thanks,

Jonathan

>  drivers/iio/industrialio-core.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index b9f4113ae5fc..ebf17ea5a5f9 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -410,12 +410,15 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
>  	char buf[80];
>  	int ret;
>  
> +	if (count >= sizeof(buf))
> +		return -EINVAL;
> +
>  	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
>  				     count);
>  	if (ret < 0)
>  		return ret;
>  
> -	buf[count] = '\0';
> +	buf[ret] = '\0';
>  
>  	ret = sscanf(buf, "%i %i", &reg, &val);
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ