lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200905231644.GA1506363@rani.riverdale.lan>
Date:   Sat, 5 Sep 2020 19:16:44 -0400
From:   Arvind Sankar <nivedita@...m.mit.edu>
To:     Randy Dunlap <rdunlap@...radead.org>
Cc:     Arvind Sankar <nivedita@...m.mit.edu>, x86@...nel.org,
        kasan-dev@...glegroups.com, Kees Cook <keescook@...omium.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 2/2] x86/cmdline: Use strscpy to initialize
 boot_command_line

On Sat, Sep 05, 2020 at 03:59:04PM -0700, Randy Dunlap wrote:
> On 9/5/20 3:23 PM, Arvind Sankar wrote:
> > The x86 boot protocol requires the kernel command line to be a
> > NUL-terminated string of length at most COMMAND_LINE_SIZE (including the
> > terminating NUL). In case the bootloader messed up and the command line
> > is too long (hence not NUL-terminated), use strscpy to copy the command
> > line into boot_command_line. This ensures that boot_command_line is
> > NUL-terminated, and it also avoids accessing beyond the actual end of
> > the command line if it was properly NUL-terminated.
> > 
> > Note that setup_arch() will already force command_line to be
> > NUL-terminated by using strlcpy(), as well as boot_command_line if a
> > builtin command line is configured. If boot_command_line was not
> > initially NUL-terminated, the strlen() inside of strlcpy()/strlcat()
> > will run beyond boot_command_line, but this is almost certainly
> > harmless in practice.
> > 
> > Signed-off-by: Arvind Sankar <nivedita@...m.mit.edu>
> 
> Hi,
> Just for my enlightenment, what would be wrong with:
> 
> (which is done in arch/m68/kernel/setup_no.c)
> 
> > ---
> >  arch/x86/kernel/head64.c  |  2 +-
> >  arch/x86/kernel/head_32.S | 11 +++++------
> >  2 files changed, 6 insertions(+), 7 deletions(-)
> > 
> > diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
> > index cbb71c1b574f..740dd05b9462 100644
> > --- a/arch/x86/kernel/head64.c
> > +++ b/arch/x86/kernel/head64.c
> > @@ -410,7 +410,7 @@ static void __init copy_bootdata(char *real_mode_data)
> >  	cmd_line_ptr = get_cmd_line_ptr();
> >  	if (cmd_line_ptr) {
> >  		command_line = __va(cmd_line_ptr);
> > 		memcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);
> > +		boot_command_line[COMMAND_LINE_SIZE - 1] = 0;
> >  	}
> >  
> >  	/*
> 
> 
> thanks.
> -- 
> ~Randy
> 

That still accesses beyond the end of the bootloader's command line,
which could theoretically be a bad thing: eg the EFI stub only allocates
enough space for the actual length of the command line, rather than the
full COMMAND_LINE_SIZE. But yeah, that was my first version of this
patch.

> > NUL-terminated, and it also avoids accessing beyond the actual end of
> > the command line if it was properly NUL-terminated.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ