lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201508181928.JGB95875.OHOtSVLFMFFJQO@I-love.SAKURA.ne.jp>
Date:	Tue, 18 Aug 2015 19:28:53 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	dan.carpenter@...cle.com, hariprasad@...lsio.com
Cc:	netdev@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [patch] cxgb4: memory corruption in debugfs

Dan Carpenter wrote:
> You can't use kstrtoul() with an int or it causes memory corruption.
> Also j should be unsigned or we have underflow bugs.
> 
> I considered changing "j" to unsigned long but everything fits in a u32.

Excuse me, but kstrtouint()'s last argument is not "u32 *" but "unsigned int *".
Aren't there architectures where sizeof(unsigned int) > sizeof(u32) ?

> 
> Fixes: 8e3d04fd7d70 ('cxgb4: Add MPS tracing support')
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> 
> diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> index 1732e29..0a87a32 100644
> --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> @@ -1289,13 +1289,14 @@ static unsigned int xdigit2int(unsigned char c)
>  static ssize_t mps_trc_write(struct file *file, const char __user *buf,
>  			     size_t count, loff_t *pos)
>  {
> -	int i, j, enable, ret;
> +	int i, enable, ret;
>  	u32 *data, *mask;
>  	struct trace_params tp;
>  	const struct inode *ino;
>  	unsigned int trcidx;
>  	char *s, *p, *word, *end;
>  	struct adapter *adap;
> +	u32 j;
>  
>  	ino = file_inode(file);
>  	trcidx = (uintptr_t)ino->i_private & 3;
> @@ -1340,7 +1341,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
>  
>  		if (!strncmp(word, "qid=", 4)) {
>  			end = (char *)word + 4;
> -			ret = kstrtoul(end, 10, (unsigned long *)&j);
> +			ret = kstrtouint(end, 10, &j);
>  			if (ret)
>  				goto out;
>  			if (!adap->trace_rss) {
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ