lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <77c6c991-b7b4-0362-63ca-17a801187f7a@linux.intel.com>
Date:   Fri, 17 Sep 2021 08:37:21 +0100
From:   Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>
To:     Tim Gardner <tim.gardner@...onical.com>,
        intel-gfx@...ts.freedesktop.org
Cc:     Jani Nikula <jani.nikula@...ux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@...el.com>,
        David Airlie <airlied@...ux.ie>,
        Daniel Vetter <daniel@...ll.ch>,
        dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: use strscpy() to avoid buffer
 overrun


On 16/09/2021 13:26, Tim Gardner wrote:
> In capture_vma() Coverity complains of a possible buffer overrun. Even
> though this is a static function where all call sites can be checked,
> limiting the copy length could save some future grief.
> 
> CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
> 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name
>     by copying name without checking the length.
> 5. parameter_as_source: Note: This defect has an elevated risk because the
>     source argument is a parameter of the current function.
> 1326        strcpy(c->name, name);
> 
> Fix any possible overflows by using strscpy() which guarantees NULL termination.
> 
> Also correct 2 other strcpy() call sites with the same potential for Coverity
> warnings or overruns.
> 
> v2 - Change $SUBJECT from "drm/i915: zero fill vma name buffer"
>       Use strscpy() instead of strncpy(). Its a much simpler change.
> 
> Cc: Jani Nikula <jani.nikula@...ux.intel.com>
> Cc: Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>
> Cc: Rodrigo Vivi <rodrigo.vivi@...el.com>
> Cc: David Airlie <airlied@...ux.ie>
> Cc: Daniel Vetter <daniel@...ll.ch>
> Cc: intel-gfx@...ts.freedesktop.org
> Cc: dri-devel@...ts.freedesktop.org
> Cc: linux-kernel@...r.kernel.org
> Signed-off-by: Tim Gardner <tim.gardner@...onical.com>
> ---
>   drivers/gpu/drm/i915/i915_gpu_error.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 9cf6ac575de1..7f246f51959d 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -1015,7 +1015,7 @@ i915_vma_coredump_create(const struct intel_gt *gt,
>   		return NULL;
>   	}
>   
> -	strcpy(dst->name, name);
> +	strscpy(dst->name, name, sizeof(dst->name));
>   	dst->next = NULL;
>   
>   	dst->gtt_offset = vma->node.start;
> @@ -1279,7 +1279,7 @@ static bool record_context(struct i915_gem_context_coredump *e,
>   	rcu_read_lock();
>   	task = pid_task(ctx->pid, PIDTYPE_PID);
>   	if (task) {
> -		strcpy(e->comm, task->comm);
> +		strscpy(e->comm, task->comm, sizeof(e->comm));
>   		e->pid = task->pid;
>   	}
>   	rcu_read_unlock();
> @@ -1323,7 +1323,7 @@ capture_vma(struct intel_engine_capture_vma *next,
>   		return next;
>   	}
>   
> -	strcpy(c->name, name);
> +	strscpy(c->name, name, sizeof(c->name));
>   	c->vma = vma; /* reference held while active */
>   
>   	c->next = next;
> 

Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@...el.com>

Regards,

Tvrtko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ