lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9b509d0fd5c4459985aac9b35abe462b@AcuMS.aculab.com>
Date:   Tue, 10 Aug 2021 08:30:26 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Jonathan Cameron' <Jonathan.Cameron@...wei.com>,
        Andy Shevchenko <andy.shevchenko@...il.com>
CC:     Jonathan Cameron <jic23@...nel.org>, Len Baker <len.baker@....com>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Kees Cook <keescook@...omium.org>,
        "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
        linux-iio <linux-iio@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v2] drivers/iio: Remove all strcpy() uses in favor of
 strscpy()

From: Jonathan Cameron
> Sent: 09 August 2021 10:22
> 
> On Sun, 8 Aug 2021 22:00:34 +0300
> Andy Shevchenko <andy.shevchenko@...il.com> wrote:
> 
> > On Sun, Aug 8, 2021 at 7:25 PM Jonathan Cameron <jic23@...nel.org> wrote:
> > >
> > > On Sat,  7 Aug 2021 17:22:25 +0200
> > > Len Baker <len.baker@....com> wrote:
> > >
> > > > strcpy() performs no bounds checking on the destination buffer. This
> > > > could result in linear overflows beyond the end of the buffer, leading
> > > > to all kinds of misbehaviors. The safe replacement is strscpy().
> > > >
> > > > This patch is an effort to clean up the proliferation of str*()
> > > > functions in the kernel and a previous step in the path to remove
> > > > the strcpy function from the kernel entirely [1].
> > > >
> > > > [1] https://github.com/KSPP/linux/issues/88
> > > >
> > > > Signed-off-by: Len Baker <len.baker@....com>
> > > Applied to the togreg branch of iio.git and pushed out as testing
> > > so 0-day can poke at it and see if we missed anything.
> >
> > Isn't it too early? Or am I missing something (see below)?
> >
> > ...
> >
> > > >                       /* use length + 2 for adding minus sign if needed */
> > > > -                     str = devm_kzalloc(regmap_get_device(st->map),
> > > > -                                        strlen(orient) + 2, GFP_KERNEL);
> > > > +                     n = strlen(orient) + 2;
> > > > +                     str = devm_kzalloc(regmap_get_device(st->map), n,
> > > > +                                        GFP_KERNEL);
> > > >                       if (str == NULL)
> > > >                               return -ENOMEM;
> > > >                       if (strcmp(orient, "0") == 0) {
> > > > -                             strcpy(str, orient);
> > > > +                             strscpy(str, orient, n);
> > > >                       } else if (orient[0] == '-') {
> > > > -                             strcpy(str, &orient[1]);
> > > > +                             strscpy(str, &orient[1], n);
> > > >                       } else {
> > > >                               str[0] = '-';
> > > > -                             strcpy(&str[1], orient);
> > > > +                             strscpy(&str[1], orient, n - 1);
> >
> > Why n-1?
> 
> n is the total length and this is printing from [1], so n - 1 is remaining
> space.

If you do:
	/* negate 'orient' */
	n = strlen(orient) + 1;
	str = malloc(n + 1);
	if (n == 2 && orient[0] == '0')
		memcpy(str, orient, n);
	else if (orient[0] == '-')
		memcpy(str, orient + 1, n - 1);
	else {
		str[0] = '-';
		memcpy(str + 1, orient, n);
	}
Then it is probably less confusing.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ