lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZCXobRYAPfNkSOK5@corigine.com>
Date:   Thu, 30 Mar 2023 21:52:13 +0200
From:   Simon Horman <simon.horman@...igine.com>
To:     Denis Plotnikov <den-plotnikov@...dex-team.ru>
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        rajur@...lsio.com, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com
Subject: Re: [PATCH] cxgb4: do conversion after string check

On Thu, Mar 30, 2023 at 06:47:03PM +0300, Denis Plotnikov wrote:
> Static code analyzer complains to uncheck return value.
> Indeed, the return value of kstrtouint "must be checked"
> as the comment says.
> Moreover, it looks like the string conversion  should be
> after "end of string" or "new line" check.
> This patch fixes these issues.
> 
> Signed-off-by: Denis Plotnikov <den-plotnikov@...dex-team.ru>
> ---
>  drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> index 14e0d989c3ba5..a8d3616630cc6 100644
> --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
> @@ -1576,9 +1576,11 @@ inval:				count = -EINVAL;
>  		}
>  		if (*word == '@') {
>  			end = (char *)word + 1;
> -			ret = kstrtouint(end, 10, &j);
>  			if (*end && *end != '\n')
>  				goto inval;

I feel that I must be missing something very obvious.

My reading is that the code only gets to this line
if *end is either '\0' or '\n'. Which would not be the case
if end points to the string representation of number.
So I am confused about this code, both with and without your patch.

Perhaps the check is assuming that end is pointing
to the end of the string representation of the number.
Something like the endptr after a call to libc's strtoul(3).
But by my reading it is pointing to the beginning.

> +			ret = kstrtouint(end, 10, &j);
> +			if (ret)
> +				goto inval;
>  			if (j & 7)          /* doesn't start at multiple of 8 */
>  				goto inval;
>  			j /= 8;
> -- 
> 2.25.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ