Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability

From: Matt Fleming
Date: Thu Jan 14 2016 - 06:12:22 EST


On Mon, 11 Jan, at 06:16:14PM, Luck, Tony wrote:
> >> What about using:
> >>
> >> msg[len] = '\0';
> >>
> >> to guarantee NUL termination?
> >
> > But that may leave garbage bytes in 'rcd_decode_str' in the case where
> > the string isn't as long as 'len'.
> >
> > How about memset()'ing the buffer to zero and deleting the NUL
> > termination line?
>
> Looks like overkill to me. We only use this function in two places:
>
> if (cper_dimm_err_location(cmem, rcd_decode_str))
> trace_seq_printf(p, "%s", rcd_decode_str);
>
> if (cper_dimm_err_location(&cmem, rcd_decode_str))
> printk("%s%s\n", pfx, rcd_decode_str);
>
> Neither would care if there were garbage after the NUL and before the
> end of the rcd_decode_str[] array.
>
> This buffer isn't visible to user space, so we aren't leaking data by having
> garbage bytes after the NUL.

What about *before* the NUL? That was the point I was trying to make.
If the string you print into the buffer isn't 'len' bytes in size the
buffer will look like,

"DIMM location: Foo bar"<garbage.....>\0

Doing the memset() before the call to snprintf() guarantees this won't
happen and means you don't have to try and calculate where the NUL
needs to be placed.