lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20180308104309.l3j2deqrgq5d472g@mwanda>
Date:   Thu, 8 Mar 2018 13:43:09 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Cc:     Kees Cook <keescook@...omium.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        devel@...verdev.osuosl.org,
        Dmitry Eremin <dmitry.eremin@...el.com>,
        Tycho Andersen <tycho@...ho.ws>,
        Kernel Hardening <kernel-hardening@...ts.openwall.com>,
        linux-kernel@...r.kernel.org, Gargi Sharma <gs051095@...il.com>,
        Oleg Drokin <oleg.drokin@...el.com>,
        Andreas Dilger <andreas.dilger@...el.com>,
        lustre-devel@...ts.lustre.org
Subject: Re: [PATCH] staging: lustre: Remove VLA usage

On Wed, Mar 07, 2018 at 02:10:41PM +0100, Rasmus Villemoes wrote:
> On 2018-03-07 06:46, Kees Cook wrote:
> > The kernel would like to remove all VLA usage. This switches to a
> > simple kasprintf() instead.
> > 
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
> >  drivers/staging/lustre/lustre/llite/xattr.c | 19 +++++++++++++------
> >  1 file changed, 13 insertions(+), 6 deletions(-)
> > 
> > diff --git a/drivers/staging/lustre/lustre/llite/xattr.c b/drivers/staging/lustre/lustre/llite/xattr.c
> > index 532384c91447..aab4eab64289 100644
> > --- a/drivers/staging/lustre/lustre/llite/xattr.c
> > +++ b/drivers/staging/lustre/lustre/llite/xattr.c
> > @@ -87,7 +87,7 @@ ll_xattr_set_common(const struct xattr_handler *handler,
> >  		    const char *name, const void *value, size_t size,
> >  		    int flags)
> >  {
> > -	char fullname[strlen(handler->prefix) + strlen(name) + 1];
> > +	char *fullname;
> >  	struct ll_sb_info *sbi = ll_i2sbi(inode);
> >  	struct ptlrpc_request *req = NULL;
> >  	const char *pv = value;
> > @@ -141,10 +141,13 @@ ll_xattr_set_common(const struct xattr_handler *handler,
> >  			return -EPERM;
> >  	}
> >  
> > -	sprintf(fullname, "%s%s\n", handler->prefix, name);
> 
> It's probably worth pointing out that this actually fixes an
> unconditional buffer overflow: fullname only has room for the two
> strings and the '\n', but vsnprintf() is told that the buffer has
> infinite size (well, INT_MAX), so there should be plenty of room to
> append the '\0' after the '\n'.
> 
> > +	fullname = kasprintf(GFP_KERNEL, "%s%s\n", handler->prefix, name);
> > +	if (!fullname)
> > +		return -ENOMEM;
> >  	rc = md_setxattr(sbi->ll_md_exp, ll_inode2fid(inode),
> >  			 valid, fullname, pv, size, 0, flags,
> >  			 ll_i2suppgid(inode), &req);
> > +	kfree(fullname);
> >  	if (rc) {
> >  		if (rc == -EOPNOTSUPP && handler->flags == XATTR_USER_T) {
> >  			LCONSOLE_INFO("Disabling user_xattr feature because it is not supported on the server\n");
> > @@ -364,7 +367,7 @@ static int ll_xattr_get_common(const struct xattr_handler *handler,
> >  			       struct dentry *dentry, struct inode *inode,
> >  			       const char *name, void *buffer, size_t size)
> >  {
> > -	char fullname[strlen(handler->prefix) + strlen(name) + 1];
> > +	char *fullname;
> >  	struct ll_sb_info *sbi = ll_i2sbi(inode);
> >  #ifdef CONFIG_FS_POSIX_ACL
> >  	struct ll_inode_info *lli = ll_i2info(inode);
> > @@ -411,9 +414,13 @@ static int ll_xattr_get_common(const struct xattr_handler *handler,
> >  	if (handler->flags == XATTR_ACL_DEFAULT_T && !S_ISDIR(inode->i_mode))
> >  		return -ENODATA;
> >  #endif
> > -	sprintf(fullname, "%s%s\n", handler->prefix, name);
> 
> Same here.
> 
> I'm a little surprised this hasn't been caugt by static analysis, I
> thought gcc/coverity/smatch/whatnot had gotten pretty good at computing
> the size of the output generated by a given format string with "known"
> arguments and comparing to the size of the output buffer. Though of
> course it does require the tool to be able to do symbolic manipulations,
> in this case realizing that
> 
> outsize == strlen(x)+strlen(y)+1+1 > bufsize == strlen(x)+strlen(y)+1

That kind of symbolic manipulation is crazy hard to do.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ