lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Sun, 27 Jul 2014 14:58:53 -0700
From:	Mark D Rustad <mrustad@...il.com>
To:	Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se>
Cc:	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
	Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] arch: x86: ia32: ia32_aout.c:  Cleaning up missing null-terminate in conjunction with strncpy

Rickard,

On Jul 26, 2014, at 2:50 PM, Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se> wrote:

> Replacing strncpy with strlcpy to avoid strings that lacks null terminate.
> And use the sizeof on the to string rather than the from string.
> 
> Signed-off-by: Rickard Strandqvist <rickard_strandqvist@...ctrumdigital.se>
> ---
> arch/x86/ia32/ia32_aout.c |    2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
> index d21ff89..1a5eb43 100644
> --- a/arch/x86/ia32/ia32_aout.c
> +++ b/arch/x86/ia32/ia32_aout.c
> @@ -156,7 +156,7 @@ static int aout_core_dump(struct coredump_params *cprm)
> 	fs = get_fs();
> 	set_fs(KERNEL_DS);
> 	has_dumped = 1;
> -	strncpy(dump.u_comm, current->comm, sizeof(current->comm));
> +	strlcpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
> 	dump.u_ar0 = offsetof(struct user32, regs);
> 	dump.signal = cprm->siginfo->si_signo;
> 	dump_thread32(cprm->regs, &dump);

This patch appears to introduce an information leakage as well. The dump structure is on the stack and not cleared, so changing to strlcpy leaves part of the u_comm field holding unintialized data which is then written into the dump. The sizeof in the 3rd argument of the original is really an incorrect reference, as you corrected. A question to consider in this case: is the string in that structure expected to always be null-terminated or not. It is not the case that all such character arrays are expected to be. I don't happen to know in this case.

-- 
Mark Rustad, MRustad@...il.com


Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

Powered by blists - more mailing lists