[OpenWrt-Devel] [PATCH][libubox] blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
Juraj Vijtiuk
juraj.vijtiuk at sartura.hr
Mon Jan 20 15:38:59 EST 2020
Hello,
I have checked v2 of the patch, and can confirm that it fixes the out
of bounds reads.
I have also fuzzed blobmsg_parse and blobmsg_parse_array for an hour
with LibFuzzer, to check that there are no more similar shallow issues
and no new crashes were found.
Thank you for the help!
Regards,
Juraj
On Mon, Jan 20, 2020 at 12:09 PM Petr Štetiar <ynezz at true.cz> wrote:
>
> Juraj Vijtiuk <juraj.vijtiuk at sartura.hr> [2020-01-14 22:11:18]:
>
> Hi,
>
> I just sent v2 for review[2], can you check it please?
>
> > > > @@ -191,7 +197,11 @@ int blobmsg_parse(const struct blobmsg_policy *policy, int policy_len,
> > > > }
> > > >
> > > > __blob_for_each_attr(attr, data, len) {
> > > > + if (len < sizeof(struct blob_attr) + sizeof(struct blobmsg_hdr))
> > > > + return -1;
> > >
> > > If there is such problem, then this should be probably fixed directly in
> > > __blob_for_each_attr so we possibly protect other __blob_for_each_attr
> > > users[1].
> >
> > Can you maybe provide a patch? I'd be happy to test it and let you
> > know what the results are.
>
> Seems like I need more time on this, to come up with some meaningful solution
> (it's blob related function, but it would need to check blobmsg etc.), I've
> just prepared some common helper functions which should help. I don't want to
> block this changes just because of that. I'll try to add you to the Cc: in
> that follow up patch.
>
> 1. https://patchwork.ozlabs.org/patch/1225878/
>
> -- ynezz
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list