lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jKji0Kvp0CL1YJT6oCqxPa2KfdhMD_Pi8oAnpwMc_sXLw@mail.gmail.com>
Date:   Thu, 7 Dec 2017 10:26:45 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Eryu Guan <eguan@...hat.com>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Chris Metcalf <cmetcalf@...hip.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy

On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan <eguan@...hat.com> wrote:
> strscpy() tries to copy sizeof(unsigned long) bytes a time from src
> to dest when possible, and stops the loop when 'max' is less than
> sizeof(unsigned long). But it doesn't check if (src+res) goes beyond
> src buffer and does out-of-bound access to the underlying memory.
>
> KASAN reported global-out-of-bound bug when reading seccomp
> actions_logged file in procfs:
>
>   cat /proc/sys/kernel/seccomp/actions_logged
>
> Because seccomp_names_from_actions_logged() is copying short strings
> (less than sizeof(unsigned long)) to buffer 'names'. e.g.
>
>   ret = strscpy(names, " ", size);

This is a false positive:
https://marc.info/?l=linux-kernel&m=150768944030805&w=2

Given that we keep getting these reports (this is the third), I wonder
if can adjust the seccomp code to work around the bug in KASAN...

> Fixed by capping the 'max' value according to the src buffer size,
> to make sure we won't go beyond src buffer.
>
> Cc: Andrew Morton <akpm@...ux-foundation.org>
> Cc: Chris Metcalf <cmetcalf@...hip.com>
> Cc: Kees Cook <keescook@...omium.org>
> Signed-off-by: Eryu Guan <eguan@...hat.com>
> ---
>  lib/string.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/lib/string.c b/lib/string.c
> index 64a9e33f1daa..13a0147eea00 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -179,6 +179,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
>  {
>         const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
>         size_t max = count;
> +       size_t src_sz = strlen(src) + 1;

NAK. The whole point of strscpy is to avoid over-reading the source
(see the comments above the function):

 * Preferred to strlcpy() since the API doesn't require reading memory
 * from the src string beyond the specified "count" bytes, and since
 * the return value is easier to error-check than strlcpy()'s.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ