[PATCH] m68k/kernel: array out of bound access in process_uboot_commandline

Hangyu Hua posted 1 patch 4 years, 6 months ago
arch/m68k/kernel/uboot.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH] m68k/kernel: array out of bound access in process_uboot_commandline
Posted by Hangyu Hua 4 years, 6 months ago
When the size of commandp >= size, array out of bound write occurs because
len == 0.

Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 arch/m68k/kernel/uboot.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
index 928dbd33fc4a..05eca6f653b5 100644
--- a/arch/m68k/kernel/uboot.c
+++ b/arch/m68k/kernel/uboot.c
@@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size)
 	}
 
 	parse_uboot_commandline(commandp, len);
-	commandp[len - 1] = 0;
+	if (len > 0)
+		commandp[len - 1] = 0;
+	else
+		commandp[0] = 0;
 }
-- 
2.25.1

Re: [PATCH] m68k/kernel: array out of bound access in process_uboot_commandline
Posted by Andreas Schwab 4 years, 6 months ago
On Dez 27 2021, Hangyu Hua wrote:

> diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
> index 928dbd33fc4a..05eca6f653b5 100644
> --- a/arch/m68k/kernel/uboot.c
> +++ b/arch/m68k/kernel/uboot.c
> @@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size)
>  	}
>  
>  	parse_uboot_commandline(commandp, len);
> -	commandp[len - 1] = 0;
> +	if (len > 0)
> +		commandp[len - 1] = 0;
> +	else
> +		commandp[0] = 0;

If len == 0 then even commandp[0] is OOB.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Re: [PATCH] m68k/kernel: array out of bound access in process_uboot_commandline
Posted by Hangyu Hua 4 years, 6 months ago
But commandp[len -1] is used to add a zero-terminated. If we don't use
commandp[0]=0 in len == 0,
than commandp will not have a zero-terminated. I think strings may
make some errors beacause of this.

Thanks.


Andreas Schwab <schwab@linux-m68k.org> 于2021年12月27日周一 17:19写道:
>
> On Dez 27 2021, Hangyu Hua wrote:
>
> > diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
> > index 928dbd33fc4a..05eca6f653b5 100644
> > --- a/arch/m68k/kernel/uboot.c
> > +++ b/arch/m68k/kernel/uboot.c
> > @@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size)
> >       }
> >
> >       parse_uboot_commandline(commandp, len);
> > -     commandp[len - 1] = 0;
> > +     if (len > 0)
> > +             commandp[len - 1] = 0;
> > +     else
> > +             commandp[0] = 0;
>
> If len == 0 then even commandp[0] is OOB.
>
> --
> Andreas Schwab, schwab@linux-m68k.org
> GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
> "And now for something completely different."
Re: [PATCH] m68k/kernel: array out of bound access in process_uboot_commandline
Posted by Andreas Schwab 4 years, 6 months ago
On Dez 27 2021, Hangyu Hua wrote:

> If we don't use
> commandp[0]=0 in len == 0,
> than commandp will not have a zero-terminated.

That doesn't make sense.  There is no room for the zero.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Re: [PATCH] m68k/kernel: array out of bound access in process_uboot_commandline
Posted by Hangyu Hua 4 years, 6 months ago
You are right. I will resubmit the patch later.

Thanks.

Andreas Schwab <schwab@linux-m68k.org> 于2021年12月27日周一 19:56写道:
>
> On Dez 27 2021, Hangyu Hua wrote:
>
> > If we don't use
> > commandp[0]=0 in len == 0,
> > than commandp will not have a zero-terminated.
>
> That doesn't make sense.  There is no room for the zero.
>
> --
> Andreas Schwab, schwab@linux-m68k.org
> GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
> "And now for something completely different."