lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250323174537.GY892515@horms.kernel.org>
Date: Sun, 23 Mar 2025 17:45:37 +0000
From: Simon Horman <horms@...nel.org>
To: Nick Child <nnac123@...ux.ibm.com>
Cc: netdev@...r.kernel.org, davemarq@...ux.ibm.com, haren@...ux.ibm.com,
	ricklind@...ibm.com
Subject: Re: [PATCH net] ibmvnic: Use kernel helpers for hex dumps

On Thu, Mar 20, 2025 at 04:29:51PM -0500, Nick Child wrote:
> Previously, when the driver was printing hex dumps, the buffer was cast
> to an 8 byte long and printed using string formatters. If the buffer
> size was not a multiple of 8 then a read buffer overflow was possible.
> 
> Therefore, create a new ibmvnic function that loops over a buffer and
> calls hex_dump_to_buffer instead.
> 
> This patch address KASAN reports like the one below:
>   ibmvnic 30000003 env3: Login Buffer:
>   ibmvnic 30000003 env3: 01000000af000000
>   <...>
>   ibmvnic 30000003 env3: 2e6d62692e736261
>   ibmvnic 30000003 env3: 65050003006d6f63
>   ==================================================================
>   BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]
>   Read of size 8 at addr c0000001331a9aa8 by task ip/17681
>   <...>
>   Allocated by task 17681:
>   <...>
>   ibmvnic_login+0x2f0/0xffc [ibmvnic]
>   ibmvnic_open+0x148/0x308 [ibmvnic]
>   __dev_open+0x1ac/0x304
>   <...>
>   The buggy address is located 168 bytes inside of
>                 allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)
>   <...>
>   =================================================================
>   ibmvnic 30000003 env3: 000000000033766e
> 
> Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
> Signed-off-by: Nick Child <nnac123@...ux.ibm.com>
> Reviewed-by: Dave Marquardt <davemarq@...ux.ibm.com>

Reviewed-by: Simon Horman <horms@...nel.org>

> ---
> This patch obsoletes my work to define a for_each macro in printk.h [1].
> It was determined the pitfalls outweighed the benefits of the code
> cleanup.
> 
> Side question, is net the correct mailing list even if the bug being
> addressed was introduced long before the current release? Or is net-next
> more appropriate?  Does bug severity play any part in this or does
> anything with a Fixes tag go to net? netdev-FAQ implies all fixes go into
> net but previous mailing list entries seem to vary. Thanks

My view is that net is the correct target for bug fixes
for Networking code provided the bug is present in net
(which would be the case here).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ