lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1506505230.14970.22.camel@suse.de>
Date:   Wed, 27 Sep 2017 11:40:30 +0200
From:   Jean Delvare <jdelvare@...e.de>
To:     Ingo Molnar <mingo@...nel.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Baoquan He <bhe@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Peter Zijlstra <a.p.zijlstra@...llo.nl>,
        "H. Peter Anvin" <hpa@...or.com>, Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH] params: Fix an overflow in param_attr_show

Hi Ingo,

On mer., 2017-09-27 at 10:26 +0200, Ingo Molnar wrote:
> * Jean Delvare <jdelvare@...e.de> wrote:
> 
> > Function param_attr_show could overflow the buffer it is operating
> > on. The buffer size is PAGE_SIZE, and the string returned by
> > attribute->param->ops->get is generated by scnprintf(buffer,
> > PAGE_SIZE, ...) so it could be PAGE_SIZE - 1 long, with the
> > terminating '\0' at the very end of the buffer. Calling
> > strcat(..., "\n") on this isn't safe, as the '\0' will be replaced
> > by '\n' (OK) and then another '\0' will be added past the end of
> > the buffer (not OK.)
> > 
> > Simply add the trailing '\n' when writing the attribute contents to
> > the buffer originally. This is safe, and also faster.
> > 
> > Credits to Teradata for discovering this issue.
> > 
> > Signed-off-by: Jean Delvare <jdelvare@...e.de>
> > ---
> >  kernel/params.c |   22 +++++++++-------------
> >  1 file changed, 9 insertions(+), 13 deletions(-)
> > 
> > --- linux-4.13.orig/kernel/params.c	2017-09-19 16:07:18.794254776 +0200
> > +++ linux-4.13/kernel/params.c	2017-09-19 16:12:57.398426205 +0200
> > @@ -236,14 +236,14 @@ char *parse_args(const char *doing,
> >  	EXPORT_SYMBOL(param_ops_##name)
> >  
> >  
> > -STANDARD_PARAM_DEF(byte, unsigned char, "%hhu", kstrtou8);
> > -STANDARD_PARAM_DEF(short, short, "%hi", kstrtos16);
> > -STANDARD_PARAM_DEF(ushort, unsigned short, "%hu", kstrtou16);
> > -STANDARD_PARAM_DEF(int, int, "%i", kstrtoint);
> > -STANDARD_PARAM_DEF(uint, unsigned int, "%u", kstrtouint);
> > -STANDARD_PARAM_DEF(long, long, "%li", kstrtol);
> > -STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", kstrtoul);
> > -STANDARD_PARAM_DEF(ullong, unsigned long long, "%llu", kstrtoull);
> > +STANDARD_PARAM_DEF(byte, unsigned char, "%hhu\n", kstrtou8);
> > +STANDARD_PARAM_DEF(short, short, "%hi\n", kstrtos16);
> > +STANDARD_PARAM_DEF(ushort, unsigned short, "%hu\n", kstrtou16);
> > +STANDARD_PARAM_DEF(int, int, "%i\n", kstrtoint);
> > +STANDARD_PARAM_DEF(uint, unsigned int, "%u\n", kstrtouint);
> > +STANDARD_PARAM_DEF(long, long, "%li\n", kstrtol);
> > +STANDARD_PARAM_DEF(ulong, unsigned long, "%lu\n", kstrtoul);
> > +STANDARD_PARAM_DEF(ullong, unsigned long long, "%llu\n", kstrtoull);
> >  
> >  int param_set_charp(const char *val, const struct kernel_param *kp)
> >  {
> > @@ -270,7 +270,7 @@ EXPORT_SYMBOL(param_set_charp);
> >  
> >  int param_get_charp(char *buffer, const struct kernel_param *kp)
> >  {
> > -	return scnprintf(buffer, PAGE_SIZE, "%s", *((char **)kp->arg));
> > +	return scnprintf(buffer, PAGE_SIZE, "%s\n", *((char **)kp->arg));
> >  }
> >  EXPORT_SYMBOL(param_get_charp);
> >  
> > @@ -549,10 +549,6 @@ static ssize_t param_attr_show(struct mo
> >  	kernel_param_lock(mk->mod);
> >  	count = attribute->param->ops->get(buf, attribute->param);
> >  	kernel_param_unlock(mk->mod);
> > -	if (count > 0) {
> > -		strcat(buf, "\n");
> > -		++count;
> > -	}
> >  	return count;
> >  }
> 
> So the \n additions to the STANDARD_PARAM_DEF() lines
> 
> > 
> > +STANDARD_PARAM_DEF(byte, unsigned char, "%hhu\n", kstrtou8);
> > +STANDARD_PARAM_DEF(short, short, "%hi\n", kstrtos16);
> > +STANDARD_PARAM_DEF(ushort, unsigned short, "%hu\n", kstrtou16);
> 
> are not necessary anymore, with the other changes? If so then I'd leave them 
> without the \n - that's also easier to read.

What other changes are you referring to? I'm confused. Are you sure you
read the patch entirely before commenting on it?

> Or if adding this:
> 
> 	STANDARD_PARAM_DEF(byte, unsigned char, "%hhu", kstrtou8);
> 
> ... is still unsafe then I'd suggest making it safe - it's easy to miss the lack 
> of a \n during review and testing.

Why would you add this when it's already present? Confused again.

To answer the question, even if I don't get the point, omitting the
trailing '\n' would be safe in the sense that it would not cause a
buffer overflow. It would be wrong in the sense that reading from the
sysfs attribute would miss the trailing '\n'. But basic testing would
catch that easily, contrary to your claim above. If review did not
catch it before, that is, and it should, it ain't that hard really.

I'm curious, have you decided to bash every patch I post just to make
my life harder? It's working, congratulations.

-- 
Jean Delvare
SUSE L3 Support

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ