lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4b00c8c6-e50b-454d-985d-0a5e2c3d77e9-agordeev@linux.ibm.com>
Date: Thu, 18 Dec 2025 08:57:24 +0100
From: Alexander Gordeev <agordeev@...ux.ibm.com>
To: Thorsten Blum <thorsten.blum@...ux.dev>
Cc: Gerald Schaefer <gerald.schaefer@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>, linux-s390@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] s390/cmm: Account for NUL when calculating 'len' in
 cmm_timeout_handler

On Mon, Dec 15, 2025 at 01:22:14PM +0100, Thorsten Blum wrote:

Hi Thorsten,

> When the input length 'lenp' equals sizeof(buf), the current code copies
> all 64 bytes, but then immediately overwrites the last byte with a NUL
> terminator. Limit the number of bytes to copy to 'sizeof(buf) - 1' to
> reserve space for the NUL terminator.

I see you point, but can not see much of the benefit. Besides,
to me buf[len] = '\0' rings like a past-end-of-the-buffer access
(although it is not, it feels like that on a cursory look).

> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
> ---
>  arch/s390/mm/cmm.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/s390/mm/cmm.c b/arch/s390/mm/cmm.c
> index eb7ef63fab1e..06512bc178a5 100644
> --- a/arch/s390/mm/cmm.c
> +++ b/arch/s390/mm/cmm.c
> @@ -311,9 +311,9 @@ static int cmm_timeout_handler(const struct ctl_table *ctl, int write,
>  	}
>  
>  	if (write) {
> -		len = min(*lenp, sizeof(buf));
> +		len = min(*lenp, sizeof(buf) - 1);
>  		memcpy(buf, buffer, len);
> -		buf[len - 1] = '\0';
> +		buf[len] = '\0';
>  		cmm_skip_blanks(buf, &p);
>  		nr = simple_strtoul(p, &p, 0);
>  		cmm_skip_blanks(p, &p);
> -- 
> Thorsten Blum <thorsten.blum@...ux.dev>

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ