From: Matt Fleming <matt@codeblueprint.co.uk>
To: "Luck, Tony" <tony.luck@intel.com>
Cc: Insu Yun <wuninsu@gmail.com>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"taesoo@gatech.edu" <taesoo@gatech.edu>,
"yeongjin.jang@gatech.edu" <yeongjin.jang@gatech.edu>,
"insu@gatech.edu" <insu@gatech.edu>,
"changwoo@gatech.edu" <changwoo@gatech.edu>
Subject: Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability
Date: Thu, 14 Jan 2016 11:12:00 +0000 [thread overview]
Message-ID: <20160114111200.GA2810@codeblueprint.co.uk> (raw)
In-Reply-To: <3908561D78D1C84285E8C5FCA982C28F39FA9B5C@ORSMSX114.amr.corp.intel.com>
On Mon, 11 Jan, at 06:16:14PM, Luck, Tony wrote:
> >> What about using:
> >>
> >> msg[len] = '\0';
> >>
> >> to guarantee NUL termination?
> >
> > But that may leave garbage bytes in 'rcd_decode_str' in the case where
> > the string isn't as long as 'len'.
> >
> > How about memset()'ing the buffer to zero and deleting the NUL
> > termination line?
>
> Looks like overkill to me. We only use this function in two places:
>
> if (cper_dimm_err_location(cmem, rcd_decode_str))
> trace_seq_printf(p, "%s", rcd_decode_str);
>
> if (cper_dimm_err_location(&cmem, rcd_decode_str))
> printk("%s%s\n", pfx, rcd_decode_str);
>
> Neither would care if there were garbage after the NUL and before the
> end of the rcd_decode_str[] array.
>
> This buffer isn't visible to user space, so we aren't leaking data by having
> garbage bytes after the NUL.
What about *before* the NUL? That was the point I was trying to make.
If the string you print into the buffer isn't 'len' bytes in size the
buffer will look like,
"DIMM location: Foo bar"<garbage.....>\0
Doing the memset() before the call to snprintf() guarantees this won't
happen and means you don't have to try and calculate where the NUL
needs to be placed.
next prev parent reply other threads:[~2016-01-14 11:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-07 19:05 [PATCH] efi: fix out-of-bounds null overwrite vulnerability Insu Yun
[not found] ` <1452193530-76672-1-git-send-email-wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-01-08 10:13 ` Matt Fleming
[not found] ` <20160108101323.GA2532-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2016-01-08 16:47 ` Luck, Tony
[not found] ` <3908561D78D1C84285E8C5FCA982C28F39FA7208-8oqHQFITsIE64kNsxIetb7fspsVTdybXVpNB7YpNyf8@public.gmane.org>
2016-01-11 14:16 ` Matt Fleming
[not found] ` <20160111141605.GC2644-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2016-01-11 18:16 ` Luck, Tony
2016-01-14 11:12 ` Matt Fleming [this message]
[not found] ` <20160114111200.GA2810-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2016-01-15 2:06 ` Tony Luck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160114111200.GA2810@codeblueprint.co.uk \
--to=matt@codeblueprint.co.uk \
--cc=changwoo@gatech.edu \
--cc=insu@gatech.edu \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=taesoo@gatech.edu \
--cc=tony.luck@intel.com \
--cc=wuninsu@gmail.com \
--cc=yeongjin.jang@gatech.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).