| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260120230030.5813bfb1.ddiss@suse.de>
Date: Wed, 21 Jan 2026 07:12:50 +1100
From: David Disseldorp <ddiss@...e.de>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc: Christian Brauner <brauner@...nel.org>, Petr Mladek <pmladek@...e.com>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, Al Viro
<viro@...iv.linux.org.uk>, Jan Kara <jack@...e.cz>, Steven Rostedt
<rostedt@...dmis.org>, Rasmus Villemoes <linux@...musvillemoes.dk>, Sergey
Senozhatsky <senozhatsky@...omium.org>, Andrew Morton
<akpm@...ux-foundation.org>
Subject: Re: [PATCH v1 2/4] initramfs: Refactor to use hex2bin() instead of
custom approach
On Mon, 19 Jan 2026 21:38:39 +0100, Andy Shevchenko wrote:
> + ret = hex2bin((u8 *)header, s + 6, sizeof(header));
> + if (ret)
> + error("damaged header");
The changes look reasonable to me on first glance, but I think we really
should improve the error handling to abort the state machine on
malformed header here.
One further issue that we have is simple_strntoul()'s acceptance of
"0x" prefixes for the hex strings - any initramfs which carries such
prefixes will now result in an error.
It's a pretty obscure corner case, but cpio is really easy to generate
from printf(), so maybe there are some images out there which rely on
this.
I've written an initramfs_test regression test for the "0x" prefix
handling. I'll send it to the list.
Thanks, David
Powered by blists - more mailing lists