lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 22 Mar 2010 17:57:41 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	Dan Carpenter <error27@...il.com>
Cc:	Joe Perches <joe@...ches.com>,
	Mauro Carvalho Chehab <mchehab@...radead.org>,
	Srinivasa Deevi <srinivasa.deevi@...exant.com>,
	linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch v2] cx231xx: card->driver "Conexant cx231xx Audio" too	long

At Mon, 22 Mar 2010 19:54:30 +0300,
Dan Carpenter wrote:
> 
> On Mon, Mar 22, 2010 at 05:04:55PM +0100, Takashi Iwai wrote:
> > At Mon, 22 Mar 2010 08:43:47 -0700,
> > Joe Perches wrote:
> > > 
> > > On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> > > > card->driver is 15 characters and a NULL, the original code could 
> > > > cause a buffer overflow.
> > > 
> > > > In version 2, I used a better name that Takashi Iwai suggested.
> > > 
> > > Perhaps it's better to use strncpy as well.
> > 
> > strlcpy() would be safer :)
> > 
> > But, in such a case, we want rather that the error is notified at
> > build time.
> > 
> > Maybe a macro like below would be helpful to catch such bugs?
> > 
> > #define COPY_STRING(buf, src)						\
> > 	do {								\
> > 		if (__builtin_constant_p(src))				\
> > 			BUILD_BUG_ON(strlen(src) >= sizeof(buf));	\
> > 		strcpy(buf, src);					\
> > 	} while (0)
> > 
> > and used like:
> > 
> > struct foo {
> > 	char foo[5];
> > } x;
> > 
> > COPY_STRING(x.foo, "OK"); // OK
> > COPY_STRING(x.foo, "1234567890"); // NG
> > 
> 
> I can do the same thing with Smatch.  The smatch check can also find 
> bugs like this:
> 
> 	buf = kmalloc(10, GFP_KERNEL);
> 	strcpy(buf, "1234567890"); 
> 
> I used smatch to find this bug and 5 others on my allmodconfig w/ staging.
> I also found 19 other places that use strcpy() to copy from a large buffer
> into a smaller buffer.

Ah, nice.

> Your idea is nice, but I think anyone who deliberately uses the new
> macro is not going to have the bug in the first place.  ;)

Yeah, in theory, such a code should be never committed because it
can be caught at build time ;)


Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ