lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 8 Aug 2021 19:06:30 +0200
From:   Christophe JAILLET <christophe.jaillet@...adoo.fr>
To:     Bernd Petrovitsch <bernd@...rovitsch.priv.at>,
        Len Baker <len.baker@....com>, Andy Gross <agross@...nel.org>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        Geert Uytterhoeven <geert+renesas@...der.be>,
        Magnus Damm <magnus.damm@...il.com>,
        Santosh Shilimkar <ssantosh@...nel.org>
Cc:     Kees Cook <keescook@...omium.org>,
        David Laight <David.Laight@...LAB.COM>,
        Robin Murphy <robin.murphy@....com>,
        linux-hardening@...r.kernel.org, linux-arm-msm@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-renesas-soc@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v4 2/3] drivers/soc/renesas: Prefer memcpy over strcpy

Hi,

Le 08/08/2021 à 17:35, Bernd Petrovitsch a écrit :
> Hi all!
> 
> On 08/08/2021 14:50, Len Baker wrote:
>> strcpy() performs no bounds checking on the destination buffer. This
>> could result in linear overflows beyond the end of the buffer, leading
>> to all kinds of misbehaviors. So, use memcpy() as a safe replacement.
>>
>> This is a previous step in the path to remove the strcpy() function
>> entirely from the kernel.
>>
>> Signed-off-by: Len Baker <len.baker@....com>
>> ---
>>   drivers/soc/renesas/r8a779a0-sysc.c | 6 ++++--
>>   drivers/soc/renesas/rcar-sysc.c     | 6 ++++--
>>   2 files changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/soc/renesas/r8a779a0-sysc.c b/drivers/soc/renesas/r8a779a0-sysc.c
>> index d464ffa1be33..7410b9fa9846 100644
>> --- a/drivers/soc/renesas/r8a779a0-sysc.c
>> +++ b/drivers/soc/renesas/r8a779a0-sysc.c
>> @@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)
>>   	for (i = 0; i < info->num_areas; i++) {
>>   		const struct r8a779a0_sysc_area *area = &info->areas[i];
>>   		struct r8a779a0_sysc_pd *pd;
>> +		size_t n;
>>
>>   		if (!area->name) {
>>   			/* Skip NULLified area */
>>   			continue;
>>   		}
>>
>> -		pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);
>> +		n = strlen(area->name) + 1;
>> +		pd = kzalloc(sizeof(*pd) + n, GFP_KERNEL);
> Zeroing the allocated bytes is not needed since it's completly
> overwritten with the strcpy()/memcpy().

The strcpy()/memcpy() only overwrites the pd->name field, not the whole 
pd structure.
I think that it is needed to keep the kzalloc.

Just my 2c,
CJ

>>   		if (!pd) {
>>   			error = -ENOMEM;
>>   			goto out_put;
>>   		}
>>
>> -		strcpy(pd->name, area->name);
>> +		memcpy(pd->name, area->name, n);
>>   		pd->genpd.name = pd->name;
>>   		pd->pdr = area->pdr;
>>   		pd->flags = area->flags;
> 
> And similar for the second hunk.
> 
> MfG,
> 	Bernd
> 

Powered by blists - more mailing lists