Re: SECURITY - data leakage due to incorrect strncpy implementation
From: Martin Schwidefsky
Date: Thu Jan 29 2004 - 04:00:29 EST
Hi Pete,
> I do not undestand Alan's position, if he is for it or against it.
> Anyway, in case you want it, here's what I wrote for s390.
> I wrote some userland tests, it seems to check out. BUT I warn you,
> someone better check my assembly.
Learning to write inline assembly? Nice, but it has one small
problem, the count in %r4 is not decremented for 0x00 byte.
Try my little patch.
blue skies,
Martin.
diff -urN linux-2.6.1/arch/s390/lib/strncpy.S linux-2.6.1-s390/arch/s390/lib/strncpy.S
--- linux-2.6.1/arch/s390/lib/strncpy.S Fri Jan 9 07:59:45 2004
+++ linux-2.6.1-s390/arch/s390/lib/strncpy.S Thu Jan 29 09:53:02 2004
@@ -23,8 +23,13 @@
LA 3,1(3)
STC 0,0(1)
LA 1,1(1)
- JZ strncpy_exit # ICM inserted a 0x00
+ JZ strncpy_pad # ICM inserted a 0x00
BRCT 4,strncpy_loop # R4 -= 1, jump to strncpy_loop if > 0
strncpy_exit:
BR 14
-
+strncpy_clear:
+ STC 0,0(1)
+ LA 1,1(1)
+strncpy_pad:
+ BRCT 4,strncpy_clear
+ BR 14
diff -urN linux-2.6.1/arch/s390/lib/strncpy64.S linux-2.6.1-s390/arch/s390/lib/strncpy64.S
--- linux-2.6.1/arch/s390/lib/strncpy64.S Fri Jan 9 07:59:10 2004
+++ linux-2.6.1-s390/arch/s390/lib/strncpy64.S Thu Jan 29 09:53:02 2004
@@ -23,8 +23,13 @@
LA 3,1(3)
STC 0,0(1)
LA 1,1(1)
- JZ strncpy_exit # ICM inserted a 0x00
+ JZ strncpy_pad # ICM inserted a 0x00
BRCTG 4,strncpy_loop # R4 -= 1, jump to strncpy_loop if > 0
strncpy_exit:
BR 14
-
+strncpy_clear:
+ STC 0,0(1)
+ LA 1,1(1)
+strncpy_pad:
+ BRCTG 4,strncpy_clear
+ BR 14
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/