lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Nov 2020 17:35:43 -0800 From: Andrew Morton <akpm@...ux-foundation.org> To: laniel_francis@...vacyrequired.com Cc: linux-hardening@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org, dja@...ens.net, keescook@...omium.org Subject: Re: [PATCH v6 0/5] Fortify strscpy() On Thu, 19 Nov 2020 17:49:10 +0100 laniel_francis@...vacyrequired.com wrote: > From: Francis Laniel <laniel_francis@...vacyrequired.com> > > Hi. > > > I hope your families, friends and yourselves are fine. Thanks. You too ;) > This patch set answers to this issue: > https://github.com/KSPP/linux/issues/46 I fail to understand what this patchset has to do with that one-element-array issue :( > I based my modifications on top of two patches from Daniel Axtens which modify > calls to __builtin_object_size to ensure the true size of char * are returned > and not the surrounding structure size. > > To sum up, in my first patch I implemented a fortified version of strscpy. > This new version ensures the following before calling vanilla strscpy: > 1. There is no read overflow because either size is smaller than src length > or we shrink size to src length by calling fortified strnlen. > 2. There is no write overflow because we either failed during compilation or at > runtime by checking that size is smaller than dest size. > The second patch brings a new file in LKDTM driver to test this new version. > The test ensures the fortified version still returns the same value as the > vanilla one while panic'ing when there is a write overflow. > The third just corrects some typos in LKDTM related file. > > If you see any problem or way to improve the code, feel free to share it. Could you please send along a reworked [0/n] cover letter? Explain in your own words, without requiring that readers go off and read web pages - What problem the patchset solves - How it solves it - The value of the patchset (to kernel developers or to end-users) so that we can understand why it should be merged. Thanks.
Powered by blists - more mailing lists