| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <AFFEFE7F-D89B-4289-AB28-0B068C2C15AA@gmail.com>
Date: Sun, 27 Jul 2014 14:58:53 -0700
From: Mark D Rustad <mrustad@...il.com>
To: Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] arch: x86: ia32: ia32_aout.c: Cleaning up missing null-terminate in conjunction with strncpy
Rickard,
On Jul 26, 2014, at 2:50 PM, Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se> wrote:
> Replacing strncpy with strlcpy to avoid strings that lacks null terminate.
> And use the sizeof on the to string rather than the from string.
>
> Signed-off-by: Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se>
> ---
> arch/x86/ia32/ia32_aout.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
> index d21ff89..1a5eb43 100644
> --- a/arch/x86/ia32/ia32_aout.c
> +++ b/arch/x86/ia32/ia32_aout.c
> @@ -156,7 +156,7 @@ static int aout_core_dump(struct coredump_params *cprm)
> fs = get_fs();
> set_fs(KERNEL_DS);
> has_dumped = 1;
> - strncpy(dump.u_comm, current->comm, sizeof(current->comm));
> + strlcpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
> dump.u_ar0 = offsetof(struct user32, regs);
> dump.signal = cprm->siginfo->si_signo;
> dump_thread32(cprm->regs, &dump);
This patch appears to introduce an information leakage as well. The dump structure is on the stack and not cleared, so changing to strlcpy leaves part of the u_comm field holding unintialized data which is then written into the dump. The sizeof in the 3rd argument of the original is really an incorrect reference, as you corrected. A question to consider in this case: is the string in that structure expected to always be null-terminated or not. It is not the case that all such character arrays are expected to be. I don't happen to know in this case.
--
Mark Rustad, MRustad@...il.com
Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)
Powered by blists - more mailing lists