lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <689285efaf59e_cff9910066@dwillia2-xfh.jf.intel.com.notmuch>
Date: Tue, 5 Aug 2025 15:30:07 -0700
From: <dan.j.williams@...el.com>
To: Nikolay Borisov <nik.borisov@...e.com>,
	<linux-security-module@...r.kernel.org>
CC: <linux-kernel@...r.kernel.org>, <paul@...l-moore.com>, <serge@...lyn.com>,
	<jmorris@...ei.org>, <dan.j.williams@...el.com>, Nikolay Borisov
	<nik.borisov@...e.com>
Subject: Re: [PATCH v2 3/3] lockdown: Use snprintf in lockdown_read

Nikolay Borisov wrote:
> Since individual features are now locked down separately ensure that if
> the printing code is change to list them a buffer overrun won't be
> introduced.  As per Serge's recommendation switch from using sprintf to
> using snprintf and return EINVAL in case longer than 80 char string hasi
> to be printed.

I would have expected this safety to come before patch1, but it also
feels like the maximum buffer size could be calculated at compile time
to make the maximum output always fit.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ