Hello,
I have checked v2 of the patch, and can confirm that it fixes the out
of bounds reads.
I have also fuzzed blobmsg_parse and blobmsg_parse_array for an hour
with LibFuzzer, to check that there are no more similar shallow issues
and no new crashes were found.
Thank you for the help!
Regards,
Juraj
On Mon, Jan 20, 2020 at 12:09 PM Petr Štetiar <yn...@true.cz> wrote:
>
> Juraj Vijtiuk <juraj.vijt...@sartura.hr> [2020-01-14 22:11:18]:
>
> Hi,
>
> I just sent v2 for review[2], can you check it please?
>
> > > > @@ -191,7 +197,11 @@ int blobmsg_parse(const struct blobmsg_policy
> > > > *policy, int policy_len,
> > > > }
> > > >
> > > > __blob_for_each_attr(attr, data, len) {
> > > > + if (len < sizeof(struct blob_attr) + sizeof(struct
> > > > blobmsg_hdr))
> > > > + return -1;
> > >
> > > If there is such problem, then this should be probably fixed directly in
> > > __blob_for_each_attr so we possibly protect other __blob_for_each_attr
> > > users[1].
> >
> > Can you maybe provide a patch? I'd be happy to test it and let you
> > know what the results are.
>
> Seems like I need more time on this, to come up with some meaningful solution
> (it's blob related function, but it would need to check blobmsg etc.), I've
> just prepared some common helper functions which should help. I don't want to
> block this changes just because of that. I'll try to add you to the Cc: in
> that follow up patch.
>
> 1. https://patchwork.ozlabs.org/patch/1225878/
>
> -- ynezz
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
