From: Marek Vasut <marex@denx.de>
To: "Horia Geantă" <horia.geanta@freescale.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org, stable@vger.kernel.org,
Kim Phillips <kim.phillips@freescale.com>
Subject: Re: [PATCH crypto 2/2] crypto: caam - add allocation failure handling in SPRINTFCAT macro
Date: Wed, 23 Apr 2014 19:41:02 +0200 [thread overview]
Message-ID: <201404231941.02739.marex@denx.de> (raw)
In-Reply-To: <201404231912.19922.marex@denx.de>
On Wednesday, April 23, 2014 at 07:12:19 PM, Marek Vasut wrote:
> On Wednesday, April 23, 2014 at 06:35:45 PM, Horia Geantă wrote:
>
> [...]
>
> > > This entire macro looks somewhat strange.
> >
> > I am trying to fix it with minimal changes, so the patch qualifies for
> > -stable.
>
> This is just broken and you're not fixing it. You're just feeding this
> slimy monster called technical debt more and more code, so it can grow and
> get uglier and uglier. I hope you have no attachment to this abomination,
> since I'd like to see it dead.
>
> > > 1) Can't you just snprintf() into $str + some offset ? Something like:
> > > snprintf(str + strlen(str), str_total_sz - strlen(str), format,
> > > param);
> >
> > I think this would work. It also gets rid of memory allocation.
> >
> > Note that strlen(str) is undefined if str is not initialized /
> > null-terminated.
> > However, all code paths seem to touch this line in caam_jr_strstatus():
> > sprintf(outstr, "%s: ", status_src[ssrc].error);
> > before reaching SPRINTFCAT macros, so str is null-terminated.
> >
> > I'll send v2.
>
> No, let us first agree on how to fix this insane abomination please.
>
> But while I am looking, I see stuff like:
>
> caam_jr_strstatus() can call report_ccb_status( , "CCB"); (basically with a
> fixed-size string argument):
>
> 265 if (status_src[ssrc].report_ssed)
> 266 status_src[ssrc].report_ssed(status, outstr);
>
> Report_ccb_status( , "CCB"); will call report_jump_idx( , "CCB"); (still
> with fixed-size string arg), which contains your SPRINTFCAT() macro.
>
> This will expand to:
>
> ...
> strcat("CCB", tmp);
> ...
>
> So basically you are writing into a fixed-size string? But the string is
> three- bytes long, so you are overwriting kernel memory ?
Ok, I apologize. You were right. The 'strcat()' is always called with a fixed-
length 302byte long buffer allocated on stack. Thus this code is only fragile.
I will need to think of this code a bit more before I blurt out some serious
nonsense again.
Best regards,
Marek Vasut
next prev parent reply other threads:[~2014-04-23 17:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-18 10:01 [PATCH crypto 1/2] crypto: caam - fix mem leak in ahash_setkey Horia Geanta
2014-04-18 10:01 ` [PATCH crypto 2/2] crypto: caam - add allocation failure handling in SPRINTFCAT macro Horia Geanta
2014-04-22 23:56 ` Marek Vasut
2014-04-23 16:35 ` Horia Geantă
2014-04-23 17:12 ` Marek Vasut
2014-04-23 17:41 ` Marek Vasut [this message]
2014-04-28 10:24 ` Herbert Xu
2014-04-28 19:28 ` Marek Vasut
2014-04-28 21:53 ` Herbert Xu
2014-04-28 22:29 ` Marek Vasut
2014-04-22 23:47 ` [PATCH crypto 1/2] crypto: caam - fix mem leak in ahash_setkey Marek Vasut
2014-04-28 10:25 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201404231941.02739.marex@denx.de \
--to=marex@denx.de \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@freescale.com \
--cc=kim.phillips@freescale.com \
--cc=linux-crypto@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).