| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <77c6c991-b7b4-0362-63ca-17a801187f7a@linux.intel.com>
Date: Fri, 17 Sep 2021 08:37:21 +0100
From: Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>
To: Tim Gardner <tim.gardner@...onical.com>,
intel-gfx@...ts.freedesktop.org
Cc: Jani Nikula <jani.nikula@...ux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@...el.com>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: use strscpy() to avoid buffer
overrun
On 16/09/2021 13:26, Tim Gardner wrote:
> In capture_vma() Coverity complains of a possible buffer overrun. Even
> though this is a static function where all call sites can be checked,
> limiting the copy length could save some future grief.
>
> CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
> 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name
> by copying name without checking the length.
> 5. parameter_as_source: Note: This defect has an elevated risk because the
> source argument is a parameter of the current function.
> 1326 strcpy(c->name, name);
>
> Fix any possible overflows by using strscpy() which guarantees NULL termination.
>
> Also correct 2 other strcpy() call sites with the same potential for Coverity
> warnings or overruns.
>
> v2 - Change $SUBJECT from "drm/i915: zero fill vma name buffer"
> Use strscpy() instead of strncpy(). Its a much simpler change.
>
> Cc: Jani Nikula <jani.nikula@...ux.intel.com>
> Cc: Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>
> Cc: Rodrigo Vivi <rodrigo.vivi@...el.com>
> Cc: David Airlie <airlied@...ux.ie>
> Cc: Daniel Vetter <daniel@...ll.ch>
> Cc: intel-gfx@...ts.freedesktop.org
> Cc: dri-devel@...ts.freedesktop.org
> Cc: linux-kernel@...r.kernel.org
> Signed-off-by: Tim Gardner <tim.gardner@...onical.com>
> ---
> drivers/gpu/drm/i915/i915_gpu_error.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 9cf6ac575de1..7f246f51959d 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -1015,7 +1015,7 @@ i915_vma_coredump_create(const struct intel_gt *gt,
> return NULL;
> }
>
> - strcpy(dst->name, name);
> + strscpy(dst->name, name, sizeof(dst->name));
> dst->next = NULL;
>
> dst->gtt_offset = vma->node.start;
> @@ -1279,7 +1279,7 @@ static bool record_context(struct i915_gem_context_coredump *e,
> rcu_read_lock();
> task = pid_task(ctx->pid, PIDTYPE_PID);
> if (task) {
> - strcpy(e->comm, task->comm);
> + strscpy(e->comm, task->comm, sizeof(e->comm));
> e->pid = task->pid;
> }
> rcu_read_unlock();
> @@ -1323,7 +1323,7 @@ capture_vma(struct intel_engine_capture_vma *next,
> return next;
> }
>
> - strcpy(c->name, name);
> + strscpy(c->name, name, sizeof(c->name));
> c->vma = vma; /* reference held while active */
>
> c->next = next;
>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@...el.com>
Regards,
Tvrtko
Powered by blists - more mailing lists