Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3684770ioa; Tue, 26 Apr 2022 08:12:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxH5tmPy4q9oO4P++M//KV8PVnzzZmlgk1XUS/LjbIVnqJT9hoDuGW54YPsdICu86KCVDwc X-Received: by 2002:a62:15c7:0:b0:50d:388d:916a with SMTP id 190-20020a6215c7000000b0050d388d916amr12987514pfv.8.1650985938083; Tue, 26 Apr 2022 08:12:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650985938; cv=none; d=google.com; s=arc-20160816; b=pNrQOp/69CVID1jYbKaNDfTNP9yeNarXAr9T1rmlX2carHAxZ8rUT97O/obuHoRAau l2cE/oWafz0pKh7nMnGc/2RCtiKP6+3aVvQeVVJVrB0QG20ySnZKzTr6bXh2fmFX8bNe Ox2Y8wtV+8KTJhfeIpciLt68XZM6yExuZQaoiiKMJDQ8gRfZCdxVtNvfIsYIMnBRjYBL JlJwJebuVCn0vNel6NhcpFV4eY0Po4kWLcAKdHASAZwPQAOFf6v8JRmMPHUwkVMf7zZf 2LVyIioy//532bxsD2ITIhPF2XdfNz438gQHC8snj3Yf7y7TLKjGUrSL/dJbeijfcijh jOUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date:dkim-signature; bh=oJD5xC8SprIb8K+UCx90jV3PQEQRxPIl24GGInpUOjM=; b=jDgxkASfYLk7NgBgdQX1caWbOiCwS+U6VWIJSvpwP+B96Z2svAQ/IYTyyR8IfCl6iz j7p3E7GP1suqz5GNrXCTu5GXnuEPCQdYwtoPFo0ikRBx5VqgQHOl3FwQ25b6XghXKui8 d1XOD4qWYYTo1LgoIyT5MTHoFLJ8mheojf8kHxgSAxN0k7tExsowvB2/Y+jh4FrQYTaT 6EUvcxgioOMZGgUAOo4sPyKk6U8vlGR/8X07CthlNFvoKrWX8GzAw7BlNPR3yRq7OgMT G1jxGqhCJ/y56YTXAXYYEDFUKGDuswRnrEMpS9ILP8xS5tMFW18RuvM6JCM7iMwfyZJA ttgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=cEgC4aSt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t21-20020a632255000000b003a0771d526esi19617048pgm.705.2022.04.26.08.12.01; Tue, 26 Apr 2022 08:12:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=cEgC4aSt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349774AbiDZMLk (ORCPT + 99 others); Tue, 26 Apr 2022 08:11:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349775AbiDZMLj (ORCPT ); Tue, 26 Apr 2022 08:11:39 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 23A67152796 for ; Tue, 26 Apr 2022 05:08:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650974911; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=oJD5xC8SprIb8K+UCx90jV3PQEQRxPIl24GGInpUOjM=; b=cEgC4aStcxZxlnprBTZT9Tl90AVtB4q1+TeLmZorKBWpPHEyM+k9qCPIWmIBcT695fWmqb lLExcK2ih1AZ+2c58vsHXHvp9h6VGRQtxdHloEZYa6dOvLGJonR5kxTWwxV6np6dyi7pir nJxZOG4iSQuKc6vrQXKjaijPS/VgSGk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-492-1yVq27eWNZuf27knO86hIA-1; Tue, 26 Apr 2022 08:08:27 -0400 X-MC-Unique: 1yVq27eWNZuf27knO86hIA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D1F03805F70; Tue, 26 Apr 2022 12:08:16 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (file01.intranet.prod.int.rdu2.redhat.com [10.11.5.7]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 741342024CB7; Tue, 26 Apr 2022 12:08:02 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (localhost [127.0.0.1]) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4) with ESMTP id 23QC7wg9003342; Tue, 26 Apr 2022 08:07:58 -0400 Received: from localhost (mpatocka@localhost) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4/Submit) with ESMTP id 23QC7nbX003337; Tue, 26 Apr 2022 08:07:52 -0400 X-Authentication-Warning: file01.intranet.prod.int.rdu2.redhat.com: mpatocka owned process doing -bs Date: Tue, 26 Apr 2022 08:07:44 -0400 (EDT) From: Mikulas Patocka X-X-Sender: mpatocka@file01.intranet.prod.int.rdu2.redhat.com To: Andy Shevchenko cc: Linus Torvalds , Andy Shevchenko , Mimi Zohar , device-mapper development , Linux Kernel Mailing List , Mike Snitzer , Milan Broz Subject: [PATCH v2] hex2bin: fix access beyond string end In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 26 Apr 2022, Andy Shevchenko wrote: > On Sun, Apr 24, 2022 at 10:48 PM Mikulas Patocka wrote: > > > > If we pass too short string to "hex2bin" (and the string size without the > > terminating NUL character is even), "hex2bin" reads one byte after the > > terminating NUL character. This patch fixes it. > > > > Signed-off-by: Mikulas Patocka > > Cc: stable@vger.kernel.org > > You need to provide a Fixes tag. OK. Here I resend it with the "Fixes" tag. > And on top of that it would be nice to understand if we need to > support half-bytes, but in any case it's not a scope of the patch > right now. Do you think that there are any users who need this? > -- > With Best Regards, > Andy Shevchenko Mikulas From: Mikulas Patocka If we pass too short string to "hex2bin" (and the string size without the terminating NUL character is even), "hex2bin" reads one byte after the terminating NUL character. This patch fixes it. Signed-off-by: Mikulas Patocka Fixes: b78049831ffe ("lib: add error checking to hex2bin") Cc: stable@vger.kernel.org --- lib/hexdump.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) Index: linux-2.6/lib/hexdump.c =================================================================== --- linux-2.6.orig/lib/hexdump.c 2022-04-24 18:51:16.000000000 +0200 +++ linux-2.6/lib/hexdump.c 2022-04-24 18:51:16.000000000 +0200 @@ -45,10 +45,13 @@ EXPORT_SYMBOL(hex_to_bin); int hex2bin(u8 *dst, const char *src, size_t count) { while (count--) { - int hi = hex_to_bin(*src++); - int lo = hex_to_bin(*src++); + int hi, lo; - if ((hi < 0) || (lo < 0)) + hi = hex_to_bin(*src++); + if (hi < 0) + return -EINVAL; + lo = hex_to_bin(*src++); + if (lo < 0) return -EINVAL; *dst++ = (hi << 4) | lo;