Message ID | 20230726-nolibc-result-width-v1-1-d1d2dc21844e@weissschuh.net (mailing list archive) |
---|---|
State | Accepted |
Commit | 447e56023fc281c588e4977add552f4d49d78b22 |
Headers | show |
Series | selftests/nolibc: avoid buffer underrun in space printing | expand |
On Wed, Jul 26, 2023 at 08:08:13AM +0200, Thomas Weißschuh wrote: > If the test description is longer than the status alignment the > parameter 'n' to putcharn() would lead to a signed underflow that then > gets converted to a very large unsigned value. > This in turn leads out-of-bound writes in memset() crashing the > application. > > The failure case of EXPECT_PTRER() used in "mmap_bad" exhibits this > exact behavior. > > Fixes: 8a27526f49f9 ("selftests/nolibc: add EXPECT_PTREQ, EXPECT_PTRNE and EXPECT_PTRER") > Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Applied, thank you Thomas! Willy
diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c index 03b1d30f5507..9b76603e4ce3 100644 --- a/tools/testing/selftests/nolibc/nolibc-test.c +++ b/tools/testing/selftests/nolibc/nolibc-test.c @@ -151,7 +151,8 @@ static void result(int llen, enum RESULT r) else msg = "[FAIL]"; - putcharn(' ', 64 - llen); + if (llen < 64) + putcharn(' ', 64 - llen); puts(msg); }
If the test description is longer than the status alignment the parameter 'n' to putcharn() would lead to a signed underflow that then gets converted to a very large unsigned value. This in turn leads out-of-bound writes in memset() crashing the application. The failure case of EXPECT_PTRER() used in "mmap_bad" exhibits this exact behavior. Fixes: 8a27526f49f9 ("selftests/nolibc: add EXPECT_PTREQ, EXPECT_PTRNE and EXPECT_PTRER") Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> --- tools/testing/selftests/nolibc/nolibc-test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- base-commit: dfef4fc45d5713eb23d87f0863aff9c33bd4bfaf change-id: 20230726-nolibc-result-width-1f4b0b4f3ca0 Best regards,