From nobody Sun May 10 19:15:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87A48C433EF for ; Tue, 26 Apr 2022 12:08:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349777AbiDZMLl (ORCPT ); Tue, 26 Apr 2022 08:11:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349775AbiDZMLj (ORCPT ); Tue, 26 Apr 2022 08:11:39 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 23A67152796 for ; Tue, 26 Apr 2022 05:08:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650974911; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=oJD5xC8SprIb8K+UCx90jV3PQEQRxPIl24GGInpUOjM=; b=cEgC4aStcxZxlnprBTZT9Tl90AVtB4q1+TeLmZorKBWpPHEyM+k9qCPIWmIBcT695fWmqb lLExcK2ih1AZ+2c58vsHXHvp9h6VGRQtxdHloEZYa6dOvLGJonR5kxTWwxV6np6dyi7pir nJxZOG4iSQuKc6vrQXKjaijPS/VgSGk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-492-1yVq27eWNZuf27knO86hIA-1; Tue, 26 Apr 2022 08:08:27 -0400 X-MC-Unique: 1yVq27eWNZuf27knO86hIA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D1F03805F70; Tue, 26 Apr 2022 12:08:16 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (file01.intranet.prod.int.rdu2.redhat.com [10.11.5.7]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 741342024CB7; Tue, 26 Apr 2022 12:08:02 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (localhost [127.0.0.1]) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4) with ESMTP id 23QC7wg9003342; Tue, 26 Apr 2022 08:07:58 -0400 Received: from localhost (mpatocka@localhost) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4/Submit) with ESMTP id 23QC7nbX003337; Tue, 26 Apr 2022 08:07:52 -0400 X-Authentication-Warning: file01.intranet.prod.int.rdu2.redhat.com: mpatocka owned process doing -bs Date: Tue, 26 Apr 2022 08:07:44 -0400 (EDT) From: Mikulas Patocka X-X-Sender: mpatocka@file01.intranet.prod.int.rdu2.redhat.com To: Andy Shevchenko cc: Linus Torvalds , Andy Shevchenko , Mimi Zohar , device-mapper development , Linux Kernel Mailing List , Mike Snitzer , Milan Broz Subject: [PATCH v2] hex2bin: fix access beyond string end In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: TEXT/PLAIN; charset="utf-8" On Tue, 26 Apr 2022, Andy Shevchenko wrote: > On Sun, Apr 24, 2022 at 10:48 PM Mikulas Patocka wr= ote: > > > > If we pass too short string to "hex2bin" (and the string size without t= he > > terminating NUL character is even), "hex2bin" reads one byte after the > > terminating NUL character. This patch fixes it. > > > > Signed-off-by: Mikulas Patocka > > Cc: stable@vger.kernel.org >=20 > You need to provide a Fixes tag. OK. Here I resend it with the "Fixes" tag. > And on top of that it would be nice to understand if we need to > support half-bytes, but in any case it's not a scope of the patch > right now. Do you think that there are any users who need this? > --=20 > With Best Regards, > Andy Shevchenko Mikulas From: Mikulas Patocka If we pass too short string to "hex2bin" (and the string size without the terminating NUL character is even), "hex2bin" reads one byte after the terminating NUL character. This patch fixes it. Signed-off-by: Mikulas Patocka Fixes: b78049831ffe ("lib: add error checking to hex2bin") Cc: stable@vger.kernel.org Reviewed-by: Andy Shevchenko --- lib/hexdump.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) Index: linux-2.6/lib/hexdump.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- linux-2.6.orig/lib/hexdump.c 2022-04-24 18:51:16.000000000 +0200 +++ linux-2.6/lib/hexdump.c 2022-04-24 18:51:16.000000000 +0200 @@ -45,10 +45,13 @@ EXPORT_SYMBOL(hex_to_bin); int hex2bin(u8 *dst, const char *src, size_t count) { while (count--) { - int hi =3D hex_to_bin(*src++); - int lo =3D hex_to_bin(*src++); + int hi, lo; =20 - if ((hi < 0) || (lo < 0)) + hi =3D hex_to_bin(*src++); + if (hi < 0) + return -EINVAL; + lo =3D hex_to_bin(*src++); + if (lo < 0) return -EINVAL; =20 *dst++ =3D (hi << 4) | lo;