lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 5 Nov 2009 08:32:35 -0800 (PST)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Jiri Kosina <jkosina@...e.cz>
cc:	Michael Gilbert <michael.s.gilbert@...il.com>,
	Michael Buesch <mb@...sch.de>, Jack Steiner <steiner@....com>,
	linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: CVE-2009-2584


On Thu, 5 Nov 2009, Jiri Kosina wrote:
>  
> +	memset(buf, 0, sizeof(buf));
>  	if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
>  		return -EFAULT;
> -	buf[count - 1] = '\0';

Why isn't this just

	buf[sizeof(buf) - 1] = 0;

which was almost certainly the _intention_ of the code in the first 
place, since 'count' has absolutely nothing to do with the copy from user 
space as it is written.

I'm also convinced we do _not_ want 'strncpy' there, since we do have the 
size of the write. Doing a strncpy_from_user() is actually _wrong_ if the 
user buffer itself is smaller than the kernel buffer and isn't 
NUL-terminated.

So that strncpy crap needs to go. It's wrong.

In other words it would all look a whole lot more natural (and correct) 
like the appended patch.

Untested, of course. And since almost nobody has the hardware, so it's not 
like it's ever likely to _be_ tested.

		Linus

---
 drivers/misc/sgi-gru/gruprocfs.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
index ccd4408..c0e17b0 100644
--- a/drivers/misc/sgi-gru/gruprocfs.c
+++ b/drivers/misc/sgi-gru/gruprocfs.c
@@ -164,7 +164,9 @@ static ssize_t options_write(struct file *file, const char __user *userbuf,
 	unsigned long val;
 	char buf[80];
 
-	if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0)
+	if (count >= sizeof(buf))
+		count = sizeof(buf)-1;
+	if (copy_from_user(buf, userbuf, count))
 		return -EFAULT;
 	buf[count - 1] = '\0';
 	if (!strict_strtoul(buf, 10, &val))
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ