[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMuHMdU+K9Kqe1JS+PCcuyf_3V1yMDe_M1r63SyEyp4ppfkpfg@mail.gmail.com>
Date: Sun, 7 Apr 2013 16:28:04 +0200
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Chen Gang <gang.chen@...anux.com>
Cc: Rusty Russell <rusty@...tcorp.com.au>,
"linux-kernel@...r.kernel.org >> linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] kernel: module: strncpy issue, using strlcpy instead of strncpy
On Sun, Apr 7, 2013 at 1:38 PM, Chen Gang <gang.chen@...anux.com> wrote:
> ownername and namebuf are all NUL terminated string.
>
> need always let them ended by '\0'.
>
> Signed-off-by: Chen Gang <gang.chen@...anux.com>
> ---
> kernel/module.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 3c2c72d..597efd8 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -3464,7 +3464,7 @@ const char *module_address_lookup(unsigned long addr,
> }
> /* Make a copy in here where it's safe */
> if (ret) {
> - strncpy(namebuf, ret, KSYM_NAME_LEN - 1);
> + strlcpy(namebuf, ret, KSYM_NAME_LEN);
> ret = namebuf;
> }
> preempt_enable();
Is this buffer ever copied to userspace?
If yes, it may leak innocent kernel stack to userspace, as strlcpy()
doesn't fill
the remaining of the buffer with zeroes, while strncpy() does.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists