Re: [PATCH crypto 2/2] crypto: caam - add allocation failure handling in SPRINTFCAT macro

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marek Vasut <marex@denx.de>
To: "Horia Geantă" <horia.geanta@freescale.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	linux-crypto@vger.kernel.org, stable@vger.kernel.org,
	Kim Phillips <kim.phillips@freescale.com>
Subject: Re: [PATCH crypto 2/2] crypto: caam - add allocation failure handling in SPRINTFCAT macro
Date: Wed, 23 Apr 2014 19:41:02 +0200	[thread overview]
Message-ID: <201404231941.02739.marex@denx.de> (raw)
In-Reply-To: <201404231912.19922.marex@denx.de>

On Wednesday, April 23, 2014 at 07:12:19 PM, Marek Vasut wrote:
> On Wednesday, April 23, 2014 at 06:35:45 PM, Horia Geantă wrote:
> 
> [...]
> 
> > > This entire macro looks somewhat strange.
> > 
> > I am trying to fix it with minimal changes, so the patch qualifies for
> > -stable.
> 
> This is just broken and you're not fixing it. You're just feeding this
> slimy monster called technical debt more and more code, so it can grow and
> get uglier and uglier. I hope you have no attachment to this abomination,
> since I'd like to see it dead.
> 
> > > 1) Can't you just snprintf() into $str + some offset ? Something like:
> > >     snprintf(str + strlen(str), str_total_sz - strlen(str), format,
> > >     param);
> > 
> > I think this would work. It also gets rid of memory allocation.
> > 
> > Note that strlen(str) is undefined if str is not initialized /
> > null-terminated.
> > However, all code paths seem to touch this line in caam_jr_strstatus():
> > sprintf(outstr, "%s: ", status_src[ssrc].error);
> > before reaching SPRINTFCAT macros, so str is null-terminated.
> > 
> > I'll send v2.
> 
> No, let us first agree on how to fix this insane abomination please.
> 
> But while I am looking, I see stuff like:
> 
> caam_jr_strstatus() can call report_ccb_status( , "CCB"); (basically with a
> fixed-size string argument):
> 
> 265         if (status_src[ssrc].report_ssed)
> 266                 status_src[ssrc].report_ssed(status, outstr);
> 
> Report_ccb_status( , "CCB"); will call report_jump_idx( , "CCB"); (still
> with fixed-size string arg), which contains your SPRINTFCAT() macro.
> 
> This will expand to:
> 
> ...
> strcat("CCB", tmp);
> ...
> 
> So basically you are writing into a fixed-size string? But the string is
> three- bytes long, so you are overwriting kernel memory ?

Ok, I apologize. You were right. The 'strcat()' is always called with a fixed-
length 302byte long buffer allocated on stack. Thus this code is only fragile.

I will need to think of this code a bit more before I blurt out some serious 
nonsense again.

Best regards,
Marek Vasut

next prev parent reply	other threads:[~2014-04-23 17:41 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-18 10:01 [PATCH crypto 1/2] crypto: caam - fix mem leak in ahash_setkey Horia Geanta
2014-04-18 10:01 ` [PATCH crypto 2/2] crypto: caam - add allocation failure handling in SPRINTFCAT macro Horia Geanta
2014-04-22 23:56   ` Marek Vasut
2014-04-23 16:35     ` Horia Geantă
2014-04-23 17:12       ` Marek Vasut
2014-04-23 17:41         ` Marek Vasut [this message]
2014-04-28 10:24   ` Herbert Xu
2014-04-28 19:28     ` Marek Vasut
2014-04-28 21:53       ` Herbert Xu
2014-04-28 22:29         ` Marek Vasut
2014-04-22 23:47 ` [PATCH crypto 1/2] crypto: caam - fix mem leak in ahash_setkey Marek Vasut
2014-04-28 10:25   ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201404231941.02739.marex@denx.de \
    --to=marex@denx.de \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=horia.geanta@freescale.com \
    --cc=kim.phillips@freescale.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.