lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4277076.SKpFQfNsve@machine>
Date:   Sat, 17 Oct 2020 10:53:20 +0200
From:   Francis Laniel <laniel_francis@...vacyrequired.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     linux-hardening@...r.kernel.org
Subject: Re: [PATCH v1 2/3] Modify return value of nla_strlcpy to match that of strscpy.

Le samedi 17 octobre 2020, 01:23:10 CEST Kees Cook a écrit :
> On Fri, Oct 16, 2020 at 02:52:15PM +0200, laniel_francis@...vacyrequired.com 
wrote:
> > From: Francis Laniel <laniel_francis@...vacyrequired.com>
> > 
> > This patch solves part 2 of issue:
> > https://github.com/KSPP/linux/issues/110
> 
> As with the others, this needs a full commit log (imagine someone
> doesn't have access to read that issue, etc).

I will reexplain the whole problem into the commit message to give more 
context to it in the next version.

> 
> > Signed-off-by: Francis Laniel <laniel_francis@...vacyrequired.com>
> > ---
> > 
> >  include/net/netlink.h |  2 +-
> >  include/net/pkt_cls.h |  3 ++-
> >  lib/nlattr.c          | 31 ++++++++++++++++++++-----------
> >  net/sched/act_api.c   |  2 +-
> >  net/sched/sch_api.c   |  2 +-
> >  5 files changed, 25 insertions(+), 15 deletions(-)
> > 
> > diff --git a/include/net/netlink.h b/include/net/netlink.h
> > index 7356f41d23ba..446ca182e13d 100644
> > --- a/include/net/netlink.h
> > +++ b/include/net/netlink.h
> > @@ -506,7 +506,7 @@ int __nla_parse(struct nlattr **tb, int maxtype, const
> > struct nlattr *head,> 
> >  		struct netlink_ext_ack *extack);
> >  
> >  int nla_policy_len(const struct nla_policy *, int);
> >  struct nlattr *nla_find(const struct nlattr *head, int len, int
> >  attrtype);
> > 
> > -size_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize);
> > +ssize_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize);
> > 
> >  char *nla_strdup(const struct nlattr *nla, gfp_t flags);
> >  int nla_memcpy(void *dest, const struct nlattr *src, int count);
> >  int nla_memcmp(const struct nlattr *nla, const void *data, size_t size);
> > 
> > diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
> > index d4d461236351..f42db07c399b 100644
> > --- a/include/net/pkt_cls.h
> > +++ b/include/net/pkt_cls.h
> > @@ -4,6 +4,7 @@
> > 
> >  #include <linux/pkt_cls.h>
> >  #include <linux/workqueue.h>
> > 
> > +#include <linux/errno.h>
> > 
> >  #include <net/sch_generic.h>
> >  #include <net/act_api.h>
> >  #include <net/net_namespace.h>
> > 
> > @@ -512,7 +513,7 @@ tcf_change_indev(struct net *net, struct nlattr
> > *indev_tlv,> 
> >  	char indev[IFNAMSIZ];
> >  	struct net_device *dev;
> > 
> > -	if (nla_strlcpy(indev, indev_tlv, IFNAMSIZ) >= IFNAMSIZ) {
> > +	if (nla_strlcpy(indev, indev_tlv, IFNAMSIZ) == -E2BIG) {
> 
> I would make these tests all be "< 0" rather than specifically -E2BIG.
> 

You are right, it would permit to add more -ESOMETHING to nla_sltrcpy without 
changing the caller each time.

> >  		NL_SET_ERR_MSG_ATTR(extack, indev_tlv,
> >  		
> >  				    "Interface name too long");
> >  		
> >  		return -EINVAL;
> > 
> > diff --git a/lib/nlattr.c b/lib/nlattr.c
> > index ab96a5f4b9b8..83dd233bbe3e 100644
> > --- a/lib/nlattr.c
> > +++ b/lib/nlattr.c
> > @@ -713,29 +713,38 @@ EXPORT_SYMBOL(nla_find);
> > 
> >   * @dst: where to copy the string to
> >   * @nla: attribute to copy the string from
> >   * @dstsize: size of destination buffer
> > 
> > + * @returns: -E2BIG if @dstsize is 0 or source buffer length greater than
> > + * @dstsize, otherwise it returns the number of copied characters (not
> > + * including the trailing %NUL).
> > 
> >   *
> >   * Copies at most dstsize - 1 bytes into the destination buffer.
> > 
> > - * The result is always a valid NUL-terminated string. Unlike
> > - * strlcpy the destination buffer is always padded out.
> > - *
> > - * Returns the length of the source buffer.
> > + * The result is always a valid NUL-terminated string.
> > 
> >   */
> > 
> > -size_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize)
> > +ssize_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize)
> > 
> >  {
> > 
> > +	size_t len;
> > +	ssize_t ret;
> > 
> >  	size_t srclen = nla_len(nla);
> >  	char *src = nla_data(nla);
> > 
> > +	if (dstsize == 0 || WARN_ON_ONCE(dstsize > INT_MAX))
> > +		return -E2BIG;
> 
> Cool, yeah, good to include.
> 

Thank you!

> > +
> > 
> >  	if (srclen > 0 && src[srclen - 1] == '\0')
> >  	
> >  		srclen--;
> > 
> > -	if (dstsize > 0) {
> > -		size_t len = (srclen >= dstsize) ? dstsize - 1 : srclen;
> > -
> > -		memcpy(dst, src, len);
> > -		dst[len] = '\0';
> > +	if (srclen >= dstsize) {
> > +		len = dstsize - 1;
> > +		ret = -E2BIG;
> > +	} else {
> > +		len = srclen;
> > +		ret = len;
> > 
> >  	}
> > 
> > -	return srclen;
> > +	memcpy(dst, src, len);
> > +	dst[len] = '\0';
> > +
> > +	return ret;
> > 
> >  }
> >  EXPORT_SYMBOL(nla_strlcpy);
> 
> Otherwise, I think this looks good. (Though same note about
> zero-padding.)
> 
> > diff --git a/net/sched/act_api.c b/net/sched/act_api.c
> > index f66417d5d2c3..ed411d6c29fc 100644
> > --- a/net/sched/act_api.c
> > +++ b/net/sched/act_api.c
> > @@ -935,7 +935,7 @@ struct tc_action *tcf_action_init_1(struct net *net,
> > struct tcf_proto *tp,> 
> >  			NL_SET_ERR_MSG(extack, "TC action kind must be specified");
> >  			goto err_out;
> >  		
> >  		}
> > 
> > -		if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ) {
> > +		if (nla_strlcpy(act_name, kind, IFNAMSIZ) == -E2BIG) {
> > 
> >  			NL_SET_ERR_MSG(extack, "TC action name too long");
> >  			goto err_out;
> >  		
> >  		}
> > 
> > diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
> > index 2a76a2f5ed88..3e89c666d1e8 100644
> > --- a/net/sched/sch_api.c
> > +++ b/net/sched/sch_api.c
> > @@ -1170,7 +1170,7 @@ static struct Qdisc *qdisc_create(struct net_device
> > *dev,> 
> >  #ifdef CONFIG_MODULES
> >  
> >  	if (ops == NULL && kind != NULL) {
> >  	
> >  		char name[IFNAMSIZ];
> > 
> > -		if (nla_strlcpy(name, kind, IFNAMSIZ) < IFNAMSIZ) {
> > +		if (nla_strlcpy(name, kind, IFNAMSIZ) != -E2BIG) {
> > 
> >  			/* We dropped the RTNL semaphore in order to
> >  			
> >  			 * perform the module load.  So, even if we
> >  			 * succeeded in loading the module we have to

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ