From patchwork Wed May 4 16:44:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 569883 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C98BAC433F5 for ; Wed, 4 May 2022 16:52:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353930AbiEDQ4G (ORCPT ); Wed, 4 May 2022 12:56:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353933AbiEDQxR (ORCPT ); Wed, 4 May 2022 12:53:17 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3970247AD4; Wed, 4 May 2022 09:48:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F1DE8B8279C; Wed, 4 May 2022 16:48:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A6D54C385B1; Wed, 4 May 2022 16:48:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1651682931; bh=Hb0Ps1KMCg8C10a8QkE13mbaG1J1zYAFRiPAOV/CS/k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uiKi/f4ga2+saI5ZHYvwijpUbfTSqL0U0ipPSp23H7gMKiS7GVKHx4JBIpWXuZWA0 9PvzZXqE9zFjoW5Lr2R8lp3JoSfWIbtC5MUap+fnNhFiQc8a1Htuy3RS2G3vrD1A/b 9lxLyDWKxv6QxB+bxcP16VLyt8HyfoRiOpkmiTc8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mikulas Patocka , Andy Shevchenko , Linus Torvalds Subject: [PATCH 5.4 28/84] hex2bin: fix access beyond string end Date: Wed, 4 May 2022 18:44:09 +0200 Message-Id: <20220504152929.765626675@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220504152927.744120418@linuxfoundation.org> References: <20220504152927.744120418@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Mikulas Patocka commit e4d8a29997731b3bb14059024b24df9f784288d0 upstream. If we pass too short string to "hex2bin" (and the string size without the terminating NUL character is even), "hex2bin" reads one byte after the terminating NUL character. This patch fixes it. Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on error - so we can't just return the variable "hi" or "lo" on error. This inconsistency may be fixed in the next merge window, but for the purpose of fixing this bug, we just preserve the existing behavior and return -1 and -EINVAL. Signed-off-by: Mikulas Patocka Reviewed-by: Andy Shevchenko Fixes: b78049831ffe ("lib: add error checking to hex2bin") Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- lib/hexdump.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/lib/hexdump.c +++ b/lib/hexdump.c @@ -62,10 +62,13 @@ EXPORT_SYMBOL(hex_to_bin); int hex2bin(u8 *dst, const char *src, size_t count) { while (count--) { - int hi = hex_to_bin(*src++); - int lo = hex_to_bin(*src++); + int hi, lo; - if ((hi < 0) || (lo < 0)) + hi = hex_to_bin(*src++); + if (unlikely(hi < 0)) + return -EINVAL; + lo = hex_to_bin(*src++); + if (unlikely(lo < 0)) return -EINVAL; *dst++ = (hi << 4) | lo;