lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANZ3JQTpr1xRwc9GED7aXePsZE_KZ6GnpO+wMn2UaMrD4tbMzg@mail.gmail.com>
Date: Thu, 10 Jul 2025 10:15:19 +0800
From: Wang Haoran <haoranwangsec@...il.com>
To: tony.luck@...el.com, bp@...en8.de
Cc: linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: We found a bug in skx_common.c for the latest linux

Hi, my name is Wang Haoran. We found a bug in the skx_mce_output_error
function located in drivers/edac/skx_common.c in the latest Linux
kernel (version 6.15.5).
The issue arises from the use of snprintf to write into the buffer
skx_msg, which is allocated with size MSG_SIZE.The function formats
multiple strings into skx_msg, including the dynamically generated
adxl_msg, which is also allocated with MSG_SIZE. When combined with
the format string "%s%s err_code:0x%04x:0x%04x %s", the total output
length may exceed MSG_SIZE.
As a result, the return value of snprintf may be greater than the
actual buffer size, which can lead to truncation issues or cause the
skx_show_retry_rd_err_log() function to fail unexpectedly.
Replacing snprintf with scnprintf ensures the return value never
exceeds the specified buffer size, preventing such issues.

--- skx_common.c 2025-07-06 17:04:26.000000000 +0800
+++ skx_common.c 2025-07-09 17:16:56.912779591 +0800
@@ -670,12 +670,12 @@
  }

  if (res->decoded_by_adxl) {
- len = snprintf(skx_msg, MSG_SIZE, "%s%s err_code:0x%04x:0x%04x %s",
+ len = scnprintf(skx_msg, MSG_SIZE, "%s%s err_code:0x%04x:0x%04x %s",
  overflow ? " OVERFLOW" : "",
  (uncorrected_error && recoverable) ? " recoverable" : "",
  mscod, errcode, adxl_msg);
  } else {
- len = snprintf(skx_msg, MSG_SIZE,
+ len = scnprintf(skx_msg, MSG_SIZE,
  "%s%s err_code:0x%04x:0x%04x ProcessorSocketId:0x%x
MemoryControllerId:0x%x PhysicalRankId:0x%x Row:0x%x Column:0x%x
Bank:0x%x BankGroup:0x%x",
  overflow ? " OVERFLOW" : "",
  (uncorrected_error && recoverable) ? " recoverable" : "",

Best regards,
Wang Haoran

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ