RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability

From: Luck, Tony
Date: Mon Jan 11 2016 - 13:16:20 EST

Next message: Mark Brown: "Re: [PATCH v5 2/5] doc: bindings: Document for hi655x regulator driver"
Previous message: Alexei Starovoitov: "Re: [PATCH net-next] perf/core: Put size of a sample at the end of it by PERF_SAMPLE_TAILSIZE"
In reply to: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Next in thread: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> What about using:
>>
>> msg[len] = '\0';
>>
>> to guarantee NUL termination?
>
> But that may leave garbage bytes in 'rcd_decode_str' in the case where
> the string isn't as long as 'len'.
>
> How about memset()'ing the buffer to zero and deleting the NUL
> termination line?

Looks like overkill to me. We only use this function in two places:

if (cper_dimm_err_location(cmem, rcd_decode_str))
trace_seq_printf(p, "%s", rcd_decode_str);

if (cper_dimm_err_location(&cmem, rcd_decode_str))
printk("%s%s\n", pfx, rcd_decode_str);

Neither would care if there were garbage after the NUL and before the
end of the rcd_decode_str[] array.

This buffer isn't visible to user space, so we aren't leaking data by having
garbage bytes after the NUL.

-Tony

Next message: Mark Brown: "Re: [PATCH v5 2/5] doc: bindings: Document for hi655x regulator driver"
Previous message: Alexei Starovoitov: "Re: [PATCH net-next] perf/core: Put size of a sample at the end of it by PERF_SAMPLE_TAILSIZE"
In reply to: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Next in thread: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]