lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Dec 2017 19:33:24 +0800 From: Eryu Guan <eguan@...hat.com> To: linux-kernel@...r.kernel.org Cc: Eryu Guan <eguan@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Chris Metcalf <cmetcalf@...hip.com>, Kees Cook <keescook@...omium.org> Subject: [PATCH] lib/string: avoid reading beyond src buffer in strscpy strscpy() tries to copy sizeof(unsigned long) bytes a time from src to dest when possible, and stops the loop when 'max' is less than sizeof(unsigned long). But it doesn't check if (src+res) goes beyond src buffer and does out-of-bound access to the underlying memory. KASAN reported global-out-of-bound bug when reading seccomp actions_logged file in procfs: cat /proc/sys/kernel/seccomp/actions_logged Because seccomp_names_from_actions_logged() is copying short strings (less than sizeof(unsigned long)) to buffer 'names'. e.g. ret = strscpy(names, " ", size); Fixed by capping the 'max' value according to the src buffer size, to make sure we won't go beyond src buffer. Cc: Andrew Morton <akpm@...ux-foundation.org> Cc: Chris Metcalf <cmetcalf@...hip.com> Cc: Kees Cook <keescook@...omium.org> Signed-off-by: Eryu Guan <eguan@...hat.com> --- lib/string.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/string.c b/lib/string.c index 64a9e33f1daa..13a0147eea00 100644 --- a/lib/string.c +++ b/lib/string.c @@ -179,6 +179,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count) { const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; size_t max = count; + size_t src_sz = strlen(src) + 1; long res = 0; if (count == 0) @@ -200,6 +201,10 @@ ssize_t strscpy(char *dest, const char *src, size_t count) max = 0; #endif + /* avoid reading beyond src buffer */ + if (max > src_sz) + max = src_sz; + while (max >= sizeof(unsigned long)) { unsigned long c, data; -- 2.14.3
Powered by blists - more mailing lists