| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250914144549.2c8d7453@kernel.org>
Date: Sun, 14 Sep 2025 14:45:49 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Ivan Vecera <ivecera@...hat.com>
Cc: netdev@...r.kernel.org, Przemek Kitszel <przemyslaw.kitszel@...el.com>,
Jiri Pirko <jiri@...nulli.us>, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Simon
Horman <horms@...nel.org>, Jonathan Corbet <corbet@....net>, Prathosh
Satish <Prathosh.Satish@...rochip.com>, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, Michal Schmidt <mschmidt@...hat.com>, Petr
Oros <poros@...hat.com>
Subject: Re: [PATCH net-next v6 3/5] dpll: zl3073x: Add firmware loading
functionality
On Tue, 9 Sep 2025 11:15:30 +0200 Ivan Vecera wrote:
> + /* Fetch image name and size from input */
> + strscpy(buf, *psrc, min(sizeof(buf), *psize));
> + rc = sscanf(buf, "%15s %u %n", name, &count, &pos);
> + if (!rc) {
> + /* No more data */
> + return 0;
> + } else if (rc == 1 || count > U32_MAX / sizeof(u32)) {
> + ZL3073X_FW_ERR_MSG(extack, "invalid component size");
> + return -EINVAL;
> + }
> + *psrc += pos;
> + *psize -= pos;
Still worried about pos not being bounds checked.
Admin can crash the kernel with invalid FW file.
if (pos > *psize)
/* error */
Also what if sscanf() return 2? pos is uninitialized?
Powered by blists - more mailing lists