lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 01 Sep 2011 11:54:35 +1000
From:	Ryan Mallon <rmallon@...il.com>
To:	Mark Salter <msalter@...hat.com>
CC:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 01/24] fix default __strnlen_user macro

On 01/09/11 11:38, Mark Salter wrote:
> On Thu, 2011-09-01 at 09:30 +1000, Ryan Mallon wrote:
>> On 01/09/11 07:26, Mark Salter wrote:
>>> The existing __strnlen_user macro simply resolved to strnlen. However, the
>>> count returned by strnlen_user should include the NULL byte. This patch
>>> fixes the __strnlen_user macro to include the NULL byte in the count.
>>>
>>> Signed-off-by: Mark Salter<msalter@...hat.com>
>>> ---
>>>    include/asm-generic/uaccess.h |    2 +-
>>>    1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
>>> index ac68c99..1d0fdf8 100644
>>> --- a/include/asm-generic/uaccess.h
>>> +++ b/include/asm-generic/uaccess.h
>>> @@ -289,7 +289,7 @@ strncpy_from_user(char *dst, const char __user *src, long count)
>>>     * Return 0 on exception, a value greater than N if too long
>>>     */
>>>    #ifndef __strnlen_user
>>> -#define __strnlen_user strnlen
>>> +#define __strnlen_user(s, n) (strnlen((s), (n)) + 1)
>>>    #endif
>> I don't think this is correct because if you hit maxlen you will add one
>> to it. e.g. __strnlen_user("abcd\0", 3) would return 4 instead of 3.
> Yes, one would think so, but that doesn't seem to be the case. Looking
> at various places that call strnlen_user, you'll find checks for that.
> For one example, mm/util.c:
>
>      char *strndup_user(const char __user *s, long n)
>      {
> 	char *p;
> 	long length;
>
> 	length = strnlen_user(s, n);
>
> 	if (!length)
> 		return ERR_PTR(-EFAULT);
>
> 	if (length>  n)
> 		return ERR_PTR(-EINVAL);

Sure, but that isn't a good reason to not write it correctly according 
to the API description. There are also places where that check doesn't 
happen like fs/exec.c and the rather dodgy looking usage in 
kernel/auditsc.c which appears to rely on it returning n + 1 in the 
maxlen case.

It should either be changed as I suggested, or the comment in uaccess.h 
should be updated to reflect the actual behaviour of the function 
(stating that it returns n + 1 in the case where n is reached). Either 
way, its probably worth doing a quick check through the arch specific 
versions to see what their behaviour really is. It looks like there are 
potentially some subtle bugs at the callsites.

~Ryan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ