| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aFhqAergj6LowmyE@codewreck.org>
Date: Mon, 23 Jun 2025 05:39:29 +0900
From: asmadeus@...ewreck.org
To: Kees Cook <kees@...nel.org>
Cc: Dominique Martinet via B4 Relay <devnull+asmadeus.codewreck.org@...nel.org>,
Eric Van Hensbergen <ericvh@...nel.org>,
Latchesar Ionkov <lucho@...kov.net>,
Christian Schoenebeck <linux_oss@...debyte.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michael Grzeschik <m.grzeschik@...gutronix.de>,
stable@...r.kernel.org, Yuhao Jiang <danisjiang@...il.com>,
security@...nel.org, v9fs@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer
Kees Cook wrote on Sun, Jun 22, 2025 at 01:02:20PM -0700:
> >- p9_rx_req->rc.size = req->actual;
> >+ memcpy(p9_rx_req->rc.sdata, req->buf, req_size);
>
> Is rc.sdata always rc.capacity sized? If so, this world be a good first adopter of the __counted_by annotation for pointer struct members, available in Clang trunk and soon in GCC:
> https://gcc.gnu.org/pipermail/gcc-patches/2025-May/683696.html
I think so, I'll add the annotation in another patch when time allows
(and try to revert this commit to check it works, even if I have no
reason to believe it wouldn't catch this)
(... And this made me realize commit 60ece0833b6c ("net/9p: allocate
appropriate reduced message buffers") likely broke everything for
9p/rdma 3 years ago, as rdma is swapping buffers around...
I guess it doesn't have (m)any users...)
--
Dominique Martinet | Asmadeus
Powered by blists - more mailing lists