From patchwork Tue Jun 20 17:35:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Corbet X-Patchwork-Id: 106009 Delivered-To: patch@linaro.org Received: by 10.140.91.2 with SMTP id y2csp1500702qgd; Tue, 20 Jun 2017 10:35:23 -0700 (PDT) X-Received: by 10.84.230.134 with SMTP id e6mr36387448plk.256.1497980123845; Tue, 20 Jun 2017 10:35:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1497980123; cv=none; d=google.com; s=arc-20160816; b=bI2A3lK+yM7Llyq2Av8GUWA+i4gqmXYJBy5/nfG1peEEQghgiC+QMXH2nbsD/gnf/f TwPxkGJkV7/r2usEnGUxaD8N+JsZwDrYPTWj1M7a/k4PBm0Z3mSR6INY+T3upmViFLxd 4NObjv1Pz4fxYF082M2sY4ISOWu1uaqUtedK/7R3QpF1SFlfb1CX6xKzoZrPonEdJsjX oiS9XmCb5CstAaF+iwU4dF7A9VPLONUUwcyHDfIqQ7ZO7tsakShImUSYYmSX17QAQ/rU itYDE4Eg5EiS1aVEZ9td62iWk0r3tKD9Ic0DmfFK3lmIeaVSB+RnjKR5dd37BTfmG3B7 9BRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:message-id:subject:cc:to:from:date :arc-authentication-results; bh=IbbcCEwqwOWbrLOe314sYfaXY3pVR35ls2gH9mlVSes=; b=aPHqAWihw0TAoGUW2V6Kq18s32IOqcLvFKkqMGhU73jYJV3W5mooJZR12LY60qSGLx ECO+qLMtdZunloF9YTtIz1p6hlmDOphLqbYbboYBt3BgggUR1Xj60yXUPWN9GVobOAuf ezPgL/aTGe27DsVAts00DzCL02hdLCOpkoFjf7iIYlm8/Y17Du63MCTdv6AzX+mGxlTC B9sWuGxLoHKxRE0WlHJwWsEmXVPqGCGMcw+D6NdHQvdjbfVB97z8FIyUG2ijS7sKjp7Y E1JZeAG6ER64tL5AH36yfFK2FHNfWc56agiWWTyIrLxK3Hn9dHZ7dMyaAS6KFa0TbcqI IHlg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x12si11345549pgc.126.2017.06.20.10.35.23; Tue, 20 Jun 2017 10:35:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751744AbdFTRfV (ORCPT + 25 others); Tue, 20 Jun 2017 13:35:21 -0400 Received: from ms.lwn.net ([45.79.88.28]:57650 "EHLO ms.lwn.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750951AbdFTRfU (ORCPT ); Tue, 20 Jun 2017 13:35:20 -0400 Received: from localhost.localdomain (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ms.lwn.net (Postfix) with ESMTPSA id 60D662C6; Tue, 20 Jun 2017 17:35:19 +0000 (UTC) Date: Tue, 20 Jun 2017 11:35:18 -0600 From: Jonathan Corbet To: Andrew Morton Cc: LKML , Ilya Matveychikov Subject: Fw: [PATCH] cmdline: fix get_options() overflow while parsing ranges Message-ID: <20170620113518.638eac2f@lwn.net> Organization: LWN.net X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andrew, this seems to have fallen through the cracks. It addresses a real bug with possible security considerations and should probably get merged with a CC: stable...? jon Begin forwarded message: Date: Mon, 22 May 2017 19:53:47 +0400 From: Ilya Matveychikov To: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Subject: [PATCH] cmdline: fix get_options() overflow while parsing ranges When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Signed-off-by: Ilya V. Matveychikov --- lib/cmdline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/lib/cmdline.c b/lib/cmdline.c index 8f13cf7..79069d7 100644 --- a/lib/cmdline.c +++ b/lib/cmdline.c @@ -22,14 +22,14 @@ * the values[M, M+1, ..., N] into the ints array in get_options. */ -static int get_range(char **str, int *pint) +static int get_range(char **str, int *pint, int n) { int x, inc_counter, upper_range; (*str)++; upper_range = simple_strtol((*str), NULL, 0); inc_counter = upper_range - *pint; - for (x = *pint; x < upper_range; x++) + for (x = *pint; n && x < upper_range; x++, n--) *pint++ = x; return inc_counter; } @@ -96,7 +96,7 @@ char *get_options(const char *str, int nints, int *ints) break; if (res == 3) { int range_nums; - range_nums = get_range((char **)&str, ints + i); + range_nums = get_range((char **)&str, ints + i, nints - i); if (range_nums < 0) break; /*