lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190314101419.GA14455@amd>
Date:   Thu, 14 Mar 2019 11:14:19 +0100
From:   Pavel Machek <pavel@....cz>
To:     Rasmus Villemoes <linux@...musvillemoes.dk>
Cc:     Uwe Kleine-König 
        <u.kleine-koenig@...gutronix.de>,
        Jacek Anaszewski <jacek.anaszewski@...il.com>,
        LKML <linux-kernel@...r.kernel.org>, linux-leds@...r.kernel.org
Subject: Re: [PATCH 1/4] leds: netdev trigger: use memcpy in device_name_store

Hi!

> If userspace doesn't end the input with a newline (which can easily
> happen if the write happens from a C program that does write(fd,
> iface, strlen(iface))), we may end up including garbage from a
> previous, longer value in the device_name. For example
> 
> # cat device_name
> 
> # printf 'eth12' > device_name
> # cat device_name
> eth12
> # printf 'eth3' > device_name
> # cat device_name
> eth32
> 
> I highly doubt anybody is relying on this behaviour, so switch to
> simply copying the bytes (we've already checked that size is <
> IFNAMSIZ) and unconditionally zero-terminate it; of course, we also
> still have to strip a trailing newline.

  char device_name[IFNAMSIZ];

Ok, good catch reporting the bug, but are you sure the fix is right?

AFAICT the design is that device_name does _not_ have to be zero
terminated, and your fix incorrectly limits the size of device_name.

								Pavel
								
> index 3dd3ed46d473..ddc2b90ad7ec 100644
> --- a/drivers/leds/trigger/ledtrig-netdev.c
> +++ b/drivers/leds/trigger/ledtrig-netdev.c
> @@ -122,7 +122,8 @@ static ssize_t device_name_store(struct device *dev,
>  		trigger_data->net_dev = NULL;
>  	}
>  
> -	strncpy(trigger_data->device_name, buf, size);
> +	memcpy(trigger_data->device_name, buf, size);
> +	trigger_data->device_name[size] = '\0';

I'd do = 0 for consistency with code below.

I believe the strncpy() is right to use here, but code should be
modified so that zero-termination is not required.

>  	if (size > 0 && trigger_data->device_name[size - 1] == '\n')
>  		trigger_data->device_name[size - 1] = 0;
>  
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ