Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4682636ioa; Wed, 27 Apr 2022 08:53:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8w8S5gyAjDchZQkEzrukxIJvPwW9/DWh3OosXhMTMmaj10yGweL0XY8jj5pPt+9g+qFQM X-Received: by 2002:a17:902:bb90:b0:158:a031:2ff2 with SMTP id m16-20020a170902bb9000b00158a0312ff2mr29608497pls.117.1651074823420; Wed, 27 Apr 2022 08:53:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651074823; cv=none; d=google.com; s=arc-20160816; b=u/BLpjIcIkoDu75MY4O9nGAy+YAEG95pS+Egh1pWXoIeZLkUzYg3BzGkcZxsqAnf3r eajRf5xTRkDecWKgUA24OdywPioYWw4v6mQiSYfgKI0Wzi10Ye3r3zBXe5VvO828fksx /lpL7y2FOHiVTcaM3/BjkKBVb8bVdEW9VEVa/feYcSN4A10gOAHWXgporXmo3M6F3q5m OV2LZFeUoJNObrAyLK+WUKx98TW8JQzGzJGJLHp+UyMCYIV8DftlRVPSNgEptrFpu9Px Iim3ch45C2uDZz1xQhEM6bO9aXRiiTaIbp91LyOOI4Pzm4oKYv1BND72gdCBSXCdXG77 DH4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date:dkim-signature; bh=1dggXmtnParX3s6CWVf4SQVhg+VlIqzTsxVQxpElgZI=; b=PepUULHu3vUOi7JshmvMSGGCnxIEMi9wg207xdOnsCIAqHyE52apVthoTQ/O4DJrjb yOK7ZJyN4bbY/+fEIvuhz3iRAijg7MfyDpuGJfWviJH+k8f+KvRfqbtNgQFRpjuJfx2O fiF3QPGtpHyoMJT+ctOI9cqx8YehE9d60C5BH0plMvWL0WW3bw0ckH2btF4tFyFVKNp+ 8MB3CFmIgC0zh9+sxC+XqBVMrxB0n3CGoidlpoQ6lvjGdKCKP/AsAhfnGyMuW1ZQP35p ZtT0JwBOf0UDIi9KYlRlynTbhdJ5n0uGPL4Zt5/SykqZUCgNb1UF1/+Lq/Dq7KnHMb0I +67w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aUNvG9AY; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id oc3-20020a17090b1c0300b001d942616147si2414887pjb.9.2022.04.27.08.53.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Apr 2022 08:53:43 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aUNvG9AY; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CAAC236AF36; Wed, 27 Apr 2022 08:26:55 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239824AbiD0PaA (ORCPT + 99 others); Wed, 27 Apr 2022 11:30:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239573AbiD0P36 (ORCPT ); Wed, 27 Apr 2022 11:29:58 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BDA3036A67E for ; Wed, 27 Apr 2022 08:26:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651073205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=1dggXmtnParX3s6CWVf4SQVhg+VlIqzTsxVQxpElgZI=; b=aUNvG9AY53v8FJjD357xpKljxdGbatOPR2o5iSa7PcJWfgQi2L0XVcfBhySuZJt7jMY+ng dJirazro2EKiGmhkAKWD/z9ES0EkLgzlIizUoLeYbpbsexn3dsRITnP3OPMWkoQ5phbwVj FrnPOfO6WyzyRKMeWC7o2gIzvdjrYnw= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-468-nkRfXIeJN3utbjYLsU_mqA-1; Wed, 27 Apr 2022 11:26:41 -0400 X-MC-Unique: nkRfXIeJN3utbjYLsU_mqA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0617029DD991; Wed, 27 Apr 2022 15:26:41 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (file01.intranet.prod.int.rdu2.redhat.com [10.11.5.7]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EEF52401475; Wed, 27 Apr 2022 15:26:40 +0000 (UTC) Received: from file01.intranet.prod.int.rdu2.redhat.com (localhost [127.0.0.1]) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4) with ESMTP id 23RFQeCt021649; Wed, 27 Apr 2022 11:26:40 -0400 Received: from localhost (mpatocka@localhost) by file01.intranet.prod.int.rdu2.redhat.com (8.14.4/8.14.4/Submit) with ESMTP id 23RFQehO021645; Wed, 27 Apr 2022 11:26:40 -0400 X-Authentication-Warning: file01.intranet.prod.int.rdu2.redhat.com: mpatocka owned process doing -bs Date: Wed, 27 Apr 2022 11:26:40 -0400 (EDT) From: Mikulas Patocka X-X-Sender: mpatocka@file01.intranet.prod.int.rdu2.redhat.com To: Linus Torvalds cc: Andy Shevchenko , Mimi Zohar , device-mapper development , Linux Kernel Mailing List , Mike Snitzer , Milan Broz Subject: [PATCH v3] hex2bin: fix access beyond string end In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If we pass too short string to "hex2bin" (and the string size without the terminating NUL character is even), "hex2bin" reads one byte after the terminating NUL character. This patch fixes it. Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on error - so we can't just return the variable "hi" or "lo" on error. This inconsistency may be fixed in the next merge window, but for the purpose of fixing this bug, we just preserve the existing behavior and return -1 and -EINVAL. Signed-off-by: Mikulas Patocka Reviewed-by: Andy Shevchenko Fixes: b78049831ffe ("lib: add error checking to hex2bin") Cc: stable@vger.kernel.org --- lib/hexdump.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) Index: linux-2.6/lib/hexdump.c =================================================================== --- linux-2.6.orig/lib/hexdump.c 2022-04-24 18:51:16.000000000 +0200 +++ linux-2.6/lib/hexdump.c 2022-04-27 17:16:38.000000000 +0200 @@ -45,10 +45,13 @@ EXPORT_SYMBOL(hex_to_bin); int hex2bin(u8 *dst, const char *src, size_t count) { while (count--) { - int hi = hex_to_bin(*src++); - int lo = hex_to_bin(*src++); + int hi, lo; - if ((hi < 0) || (lo < 0)) + hi = hex_to_bin(*src++); + if (unlikely(hi < 0)) + return -EINVAL; + lo = hex_to_bin(*src++); + if (unlikely(lo < 0)) return -EINVAL; *dst++ = (hi << 4) | lo;