* [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after() @ 2020-08-13 22:30 Steven Rostedt 2020-08-14 2:38 ` Andrew Morton 0 siblings, 1 reply; 4+ messages in thread From: Steven Rostedt @ 2020-08-13 22:30 UTC (permalink / raw) To: LKML; +Cc: Masami Hiramatsu, Andrew Morton From: Steven Rostedt (VMware) <rostedt@goodmis.org> While reviewing some patches for bootconfig, I noticed the following code in xbc_node_compose_key_after(): ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node), depth ? "." : ""); if (ret < 0) return ret; if (ret > size) { size = 0; } else { size -= ret; buf += ret; } But snprintf() returns the number of bytes that would be written, not the number of bytes that are written (ignoring the nul terminator). This means that if the number of non null bytes written were to equal size, then the nul byte, which snprintf() always adds, will overwrite that last byte. ret = snprintf(buf, 5, "hello"); printf("buf = '%s'\n", buf); printf("ret = %d\n", ret); produces: buf = 'hell' ret = 5 The string was truncated without ret being greater than 5. Test (ret >= size) for overwrite. Cc: stable@vger.kernel.org Fixes: 76db5a27a827c ("bootconfig: Add Extra Boot Config support") Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> --- diff --git a/lib/bootconfig.c b/lib/bootconfig.c index a5f701161f6b..42735f2b8860 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -248,7 +248,7 @@ int __init xbc_node_compose_key_after(struct xbc_node *root, depth ? "." : ""); if (ret < 0) return ret; - if (ret > size) { + if (ret >= size) { size = 0; } else { size -= ret; ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after() 2020-08-13 22:30 [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after() Steven Rostedt @ 2020-08-14 2:38 ` Andrew Morton 2020-08-14 3:04 ` Steven Rostedt 0 siblings, 1 reply; 4+ messages in thread From: Andrew Morton @ 2020-08-14 2:38 UTC (permalink / raw) To: Steven Rostedt; +Cc: LKML, Masami Hiramatsu On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <rostedt@goodmis.org> wrote: > From: Steven Rostedt (VMware) <rostedt@goodmis.org> > > While reviewing some patches for bootconfig, I noticed the following > code in xbc_node_compose_key_after(): > > ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node), > depth ? "." : ""); > if (ret < 0) > return ret; > if (ret > size) { > size = 0; > } else { > size -= ret; > buf += ret; > } > > But snprintf() returns the number of bytes that would be written, not > the number of bytes that are written (ignoring the nul terminator). > This means that if the number of non null bytes written were to equal > size, then the nul byte, which snprintf() always adds, will overwrite > that last byte. > > ret = snprintf(buf, 5, "hello"); > printf("buf = '%s'\n", buf); > printf("ret = %d\n", ret); > > produces: > > buf = 'hell' > ret = 5 > > The string was truncated without ret being greater than 5. > Test (ret >= size) for overwrite. What are the end-user visible effects of the bug? IOW, why cc:stable? ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after() 2020-08-14 2:38 ` Andrew Morton @ 2020-08-14 3:04 ` Steven Rostedt 2020-08-15 11:28 ` Masami Hiramatsu 0 siblings, 1 reply; 4+ messages in thread From: Steven Rostedt @ 2020-08-14 3:04 UTC (permalink / raw) To: Andrew Morton; +Cc: LKML, Masami Hiramatsu On Thu, 13 Aug 2020 19:38:18 -0700 Andrew Morton <akpm@linux-foundation.org> wrote: > On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <rostedt@goodmis.org> wrote: > > > From: Steven Rostedt (VMware) <rostedt@goodmis.org> > > > > While reviewing some patches for bootconfig, I noticed the following > > code in xbc_node_compose_key_after(): > > > > ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node), > > depth ? "." : ""); > > if (ret < 0) > > return ret; > > if (ret > size) { > > size = 0; > > } else { > > size -= ret; > > buf += ret; > > } > > > > But snprintf() returns the number of bytes that would be written, not > > the number of bytes that are written (ignoring the nul terminator). > > This means that if the number of non null bytes written were to equal > > size, then the nul byte, which snprintf() always adds, will overwrite > > that last byte. > > > > ret = snprintf(buf, 5, "hello"); > > printf("buf = '%s'\n", buf); > > printf("ret = %d\n", ret); > > > > produces: > > > > buf = 'hell' > > ret = 5 > > > > The string was truncated without ret being greater than 5. > > Test (ret >= size) for overwrite. > > What are the end-user visible effects of the bug? IOW, why cc:stable? > Hmm, looking at it at a wider view, it may not be an issue. The tools code calls this code, and I looked to see if it was possible to corrupt the buffer by an incorrect size. But now that I'm looking at the else part of the section, it may not be a problem as it may act the same. That is, ret == size will make size = 0 with the size -= ret, and we get the same result. OK, you can drop the patch. Thanks for the review! Although, there's no error message if the buffer is not big enough to hold the fields. Masami? -- Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after() 2020-08-14 3:04 ` Steven Rostedt @ 2020-08-15 11:28 ` Masami Hiramatsu 0 siblings, 0 replies; 4+ messages in thread From: Masami Hiramatsu @ 2020-08-15 11:28 UTC (permalink / raw) To: Steven Rostedt; +Cc: Andrew Morton, LKML, Masami Hiramatsu On Thu, 13 Aug 2020 23:04:06 -0400 Steven Rostedt <rostedt@goodmis.org> wrote: > On Thu, 13 Aug 2020 19:38:18 -0700 > Andrew Morton <akpm@linux-foundation.org> wrote: > > > On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <rostedt@goodmis.org> wrote: > > > > > From: Steven Rostedt (VMware) <rostedt@goodmis.org> > > > > > > While reviewing some patches for bootconfig, I noticed the following > > > code in xbc_node_compose_key_after(): > > > > > > ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node), > > > depth ? "." : ""); > > > if (ret < 0) > > > return ret; > > > if (ret > size) { > > > size = 0; > > > } else { > > > size -= ret; > > > buf += ret; > > > } > > > > > > But snprintf() returns the number of bytes that would be written, not > > > the number of bytes that are written (ignoring the nul terminator). > > > This means that if the number of non null bytes written were to equal > > > size, then the nul byte, which snprintf() always adds, will overwrite > > > that last byte. > > > > > > ret = snprintf(buf, 5, "hello"); > > > printf("buf = '%s'\n", buf); > > > printf("ret = %d\n", ret); > > > > > > produces: > > > > > > buf = 'hell' > > > ret = 5 > > > > > > The string was truncated without ret being greater than 5. > > > Test (ret >= size) for overwrite. > > > > What are the end-user visible effects of the bug? IOW, why cc:stable? > > > > Hmm, looking at it at a wider view, it may not be an issue. The tools > code calls this code, and I looked to see if it was possible to corrupt > the buffer by an incorrect size. But now that I'm looking at the else > part of the section, it may not be a problem as it may act the same. > > That is, ret == size will make size = 0 with the size -= ret, and we > get the same result. > > OK, you can drop the patch. Thanks for the review! Thanks Andrew, you're right. If size == ret, then size -= ret makes size = 0 and after that, the loop doesn't change the size. > > Although, there's no error message if the buffer is not big enough to > hold the fields. > > Masami? Ah, I think we need a patch to fix a comment of the function. It says * Returns the total length of the key stored in @buf. But this must be * Returns the total bytes of the key which would be written. As similar to the snprintf(), so that the user can compare the result with the given buffer size. Thank you, -- Masami Hiramatsu <mhiramat@kernel.org> ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-15 22:11 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-13 22:30 [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after() Steven Rostedt 2020-08-14 2:38 ` Andrew Morton 2020-08-14 3:04 ` Steven Rostedt 2020-08-15 11:28 ` Masami Hiramatsu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).