From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933651AbcAKOQO (ORCPT ); Mon, 11 Jan 2016 09:16:14 -0500 Received: from mail-pf0-f175.google.com ([209.85.192.175]:34310 "EHLO mail-pf0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933184AbcAKOQK (ORCPT ); Mon, 11 Jan 2016 09:16:10 -0500 Date: Mon, 11 Jan 2016 14:16:05 +0000 From: Matt Fleming To: "Luck, Tony" Cc: Insu Yun , "linux-efi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "taesoo@gatech.edu" , "yeongjin.jang@gatech.edu" , "insu@gatech.edu" , "changwoo@gatech.edu" Subject: Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability Message-ID: <20160111141605.GC2644@codeblueprint.co.uk> References: <1452193530-76672-1-git-send-email-wuninsu@gmail.com> <20160108101323.GA2532@codeblueprint.co.uk> <3908561D78D1C84285E8C5FCA982C28F39FA7208@ORSMSX114.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3908561D78D1C84285E8C5FCA982C28F39FA7208@ORSMSX114.amr.corp.intel.com> User-Agent: Mutt/1.5.24+41 (02bc14ed1569) (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 08 Jan, at 04:47:17PM, Luck, Tony wrote: > > But this function doesn't use snprintf(), it uses scnprintf() which > > returns the number of characters written into buf and, because > > scnprintf() largely follows vnsprintf(), it will never write more than > > 'size' bytes into the buffer. > > if (bank && device) > n = snprintf(msg, len, "DIMM location: %s %s ", bank, device); > > That looks like "snprintf", not "scnprintf" to me :-) Oops! Can you believe I looked at the wrong function? > What about using: > > msg[len] = '\0'; > > to guarantee NUL termination? But that may leave garbage bytes in 'rcd_decode_str' in the case where the string isn't as long as 'len'. How about memset()'ing the buffer to zero and deleting the NUL termination line?