lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ca6e40fff619aa16cb178382f5404d047ed08f3c.camel@HansenPartnership.com>
Date:   Tue, 27 Dec 2022 17:43:56 -0500
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Helge Deller <deller@....de>, yang.yang29@....com.cn
Cc:     linux-parisc@...r.kernel.org, linux-kernel@...r.kernel.org,
        xu.panda@....com.cn
Subject: Re: [PATCH linux-next] parisc: use strscpy() to instead of strncpy()

On Tue, 2022-12-27 at 22:38 +0100, Helge Deller wrote:
> Hi James,
> 
> On 12/27/22 13:38, James Bottomley wrote:
> > On Fri, 2022-12-23 at 08:55 +0100, Helge Deller wrote:
> > > On 12/23/22 03:40, yang.yang29@....com.cn wrote:
> > > > From: Xu Panda <xu.panda@....com.cn>
> > > > 
> > > > The implementation of strscpy() is more robust and safer.
> > > > That's now the recommended way to copy NUL-terminated strings.
> > > 
> > > Thanks for your patch, but....
> > > 
> > > > Signed-off-by: Xu Panda <xu.panda@....com.cn>
> > > > Signed-off-by: Yang Yang <yang.yang29@....com>
> > > > ---
> > > >    drivers/parisc/pdc_stable.c | 9 +++------
> > > >    1 file changed, 3 insertions(+), 6 deletions(-)
> > > > 
> > > > diff --git a/drivers/parisc/pdc_stable.c
> > > > b/drivers/parisc/pdc_stable.c
> > > > index d6af5726ddf3..403bca0021c5 100644
> > > > --- a/drivers/parisc/pdc_stable.c
> > > > +++ b/drivers/parisc/pdc_stable.c
> > > > @@ -274,8 +274,7 @@ pdcspath_hwpath_write(struct pdcspath_entry
> > > > *entry, const char *buf, size_t coun
> > > > 
> > > >          /* We'll use a local copy of buf */
> > > >          count = min_t(size_t, count, sizeof(in)-1);
> > > > -       strncpy(in, buf, count);
> > > > -       in[count] = '\0';
> > > > +       strscpy(in, buf, count + 1);
> > > 
> > > could you resend it somewhat simplified, e.g.
> > > strscpy(in, buf, sizeof(in));
> > 
> > I don't think you can: count is the size of buf, if that's <
> > sizeof(in) you've introduced a write beyond end of buffer.  In fact
> > sysfs tends to pass pages as buffers, so there's no actual problem,
> > but if that ever changed ...
> 
> Huh?... he doesn't change "count", so what's wrong with the latest
> patch?

the array buf[] is actually buf[count], so if count < 64 then
sizeof(buf) < sizeof(in) and you're copying whatever is after buf on
the stack or wherever it comes from. The amount you copy into in[]
truly has to be the smaller of count and sizeof(in).  These are file
operations, so you shouldn't rely on buf[] being null terminated
(kernfs ensures it is, but it's a dangerous thing to rely on in the
face of someone trying to exploit a stack smashing attack).

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ