lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 01 Aug 2023 18:16:18 -0700
From:   Kees Cook <kees@...nel.org>
To:     Justin Stitt <justinstitt@...gle.com>,
        Stanislav Yakovlev <stas.yakovlev@...il.com>,
        Kalle Valo <kvalo@...nel.org>
CC:     Kees Cook <keescook@...omium.org>, linux-wireless@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] wifi: ipw2x00: refactor to use kstrtoul

On August 1, 2023 5:51:59 PM PDT, Justin Stitt <justinstitt@...gle.com> wrote:
>The current implementation seems to reinvent what `kstrtoul` already does
>in terms of functionality and error handling. Remove uses of `simple_strtoul()`
>in favor of `kstrtoul()`.
>
>There is the following note at `lib/vsprintf.c:simple_strtoull()` which
>further backs this change:
>| * This function has caveats. Please use kstrtoull (or kstrtoul) instead.
>
>And here, simple_str* are explicitly deprecated [3].
>
>This patch also removes an instance of the deprecated `strncpy` which helps [2].
>
>Link: https://lore.kernel.org/all/202308011602.3CC1C0244C@keescook/ [1]
>Link: https://github.com/KSPP/linux/issues/90 [2]
>Link: https://docs.kernel.org/process/deprecated.html#simple-strtol-simple-strtoll-simple-strtoul-simple-strtoull [3]
>Cc: linux-hardening@...r.kernel.org
>Suggested-by: Kees Cook <keescook@...omium.org>
>Signed-off-by: Justin Stitt <justinstitt@...gle.com>
>---
>
>
>Link: https://lore.kernel.org/all/20230801-drivers-net-wireless-intel-ipw2x00-v1-1-ffd185c91292@google.com/
>---
> drivers/net/wireless/intel/ipw2x00/ipw2200.c | 43 +++++++++-------------------
> 1 file changed, 14 insertions(+), 29 deletions(-)
>
>diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
>index dfe0f74369e6..ac10633f593e 100644
>--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c
>+++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
>@@ -1176,23 +1176,20 @@ static ssize_t debug_level_show(struct device_driver *d, char *buf)
> static ssize_t debug_level_store(struct device_driver *d, const char *buf,
> 				 size_t count)
> {
>-	char *p = (char *)buf;
>-	u32 val;
>+	unsigned long *val = NULL;
> 
>-	if (p[1] == 'x' || p[1] == 'X' || p[0] == 'x' || p[0] == 'X') {
>-		p++;
>-		if (p[0] == 'x' || p[0] == 'X')
>-			p++;
>-		val = simple_strtoul(p, &p, 16);
>-	} else
>-		val = simple_strtoul(p, &p, 10);
>-	if (p == buf)
>+	int result = kstrtoul(buf, 0, val);

kstrtoul needs somewhere to write the value, so val need to be actually unsigned long, and a pointer passed to that:

unsigned long val;
...
... kstrtoul(but, 0, &val);

But otherwise, yeah, this looks like the right direction to me.

>+
>+	if (result == -EINVAL)
> 		printk(KERN_INFO DRV_NAME
> 		       ": %s is not in hex or decimal form.\n", buf);
>+	else if (result == -ERANGE)
>+		printk(KERN_INFO DRV_NAME
>+			 ": %s has overflowed.\n", buf);
> 	else
>-		ipw_debug_level = val;
>+		ipw_debug_level = *val;
> 
>-	return strnlen(buf, count);
>+	return count;.

It might be worth mentioning this return value change, but I think it's correct: we're communicating how much was consumed (we consumed it all). When the return value != count, this function may be called again with the "rest" of the input. As this is a sysfs interface, that kind of behavior is very rare bordering on actively unwanted. :) So, I think these should either return a negative error or count.

-Kees

> }
> static DRIVER_ATTR_RW(debug_level);
> 
>@@ -1461,33 +1458,21 @@ static ssize_t scan_age_store(struct device *d, struct device_attribute *attr,
> {
> 	struct ipw_priv *priv = dev_get_drvdata(d);
> 	struct net_device *dev = priv->net_dev;
>-	char buffer[] = "00000000";
>-	unsigned long len =
>-	    (sizeof(buffer) - 1) > count ? count : sizeof(buffer) - 1;
>-	unsigned long val;
>-	char *p = buffer;
> 
> 	IPW_DEBUG_INFO("enter\n");
> 
>-	strncpy(buffer, buf, len);
>-	buffer[len] = 0;
>+	unsigned long *val = NULL;
>+	int result = kstrtoul(buf, 0, val);
> 
>-	if (p[1] == 'x' || p[1] == 'X' || p[0] == 'x' || p[0] == 'X') {
>-		p++;
>-		if (p[0] == 'x' || p[0] == 'X')
>-			p++;
>-		val = simple_strtoul(p, &p, 16);
>-	} else
>-		val = simple_strtoul(p, &p, 10);
>-	if (p == buffer) {
>+	if (result == -EINVAL || result == -ERANGE) {
> 		IPW_DEBUG_INFO("%s: user supplied invalid value.\n", dev->name);
> 	} else {
>-		priv->ieee->scan_age = val;
>+		priv->ieee->scan_age = *val;
> 		IPW_DEBUG_INFO("set scan_age = %u\n", priv->ieee->scan_age);
> 	}
> 
> 	IPW_DEBUG_INFO("exit\n");
>-	return len;
>+	return count;
> }
> 
> static DEVICE_ATTR_RW(scan_age);
>
>---
>base-commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4
>change-id: 20230801-wifi-ipw2x00-refactor-fa6deb6c67ea
>
>Best regards,
>--
>Justin Stitt <justinstitt@...gle.com>
>


-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ