| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <241784a8-713f-5cf8-75d0-7ce0c0bc7279@gmx.de>
Date: Wed, 28 Dec 2022 08:28:55 +0100
From: Helge Deller <deller@....de>
To: James Bottomley <James.Bottomley@...senPartnership.com>,
yang.yang29@....com.cn
Cc: linux-parisc@...r.kernel.org, linux-kernel@...r.kernel.org,
xu.panda@....com.cn
Subject: Re: [PATCH linux-next] parisc: use strscpy() to instead of strncpy()
On 12/27/22 23:43, James Bottomley wrote:
> On Tue, 2022-12-27 at 22:38 +0100, Helge Deller wrote:
>> Hi James,
>>
>> On 12/27/22 13:38, James Bottomley wrote:
>>> On Fri, 2022-12-23 at 08:55 +0100, Helge Deller wrote:
>>>> On 12/23/22 03:40, yang.yang29@....com.cn wrote:
>>>>> From: Xu Panda <xu.panda@....com.cn>
>>>>>
>>>>> The implementation of strscpy() is more robust and safer.
>>>>> That's now the recommended way to copy NUL-terminated strings.
>>>>
>>>> Thanks for your patch, but....
>>>>
>>>>> Signed-off-by: Xu Panda <xu.panda@....com.cn>
>>>>> Signed-off-by: Yang Yang <yang.yang29@....com>
>>>>> ---
>>>>> drivers/parisc/pdc_stable.c | 9 +++------
>>>>> 1 file changed, 3 insertions(+), 6 deletions(-)
>>>>>
>>>>> diff --git a/drivers/parisc/pdc_stable.c
>>>>> b/drivers/parisc/pdc_stable.c
>>>>> index d6af5726ddf3..403bca0021c5 100644
>>>>> --- a/drivers/parisc/pdc_stable.c
>>>>> +++ b/drivers/parisc/pdc_stable.c
>>>>> @@ -274,8 +274,7 @@ pdcspath_hwpath_write(struct pdcspath_entry
>>>>> *entry, const char *buf, size_t coun
>>>>>
>>>>> /* We'll use a local copy of buf */
>>>>> count = min_t(size_t, count, sizeof(in)-1);
>>>>> - strncpy(in, buf, count);
>>>>> - in[count] = '\0';
>>>>> + strscpy(in, buf, count + 1);
>>>>
>>>> could you resend it somewhat simplified, e.g.
>>>> strscpy(in, buf, sizeof(in));
>>>
>>> I don't think you can: count is the size of buf, if that's <
>>> sizeof(in) you've introduced a write beyond end of buffer. In fact
>>> sysfs tends to pass pages as buffers, so there's no actual problem,
>>> but if that ever changed ...
>>
>> Huh?... he doesn't change "count", so what's wrong with the latest
>> patch?
>
> the array buf[] is actually buf[count], so if count < 64 then
> sizeof(buf) < sizeof(in) and you're copying whatever is after buf on
> the stack or wherever it comes from. The amount you copy into in[]
> truly has to be the smaller of count and sizeof(in). These are file
> operations, so you shouldn't rely on buf[] being null terminated
Ok, the main point I missed was that buf[] might not be null terminated.
Thanks for the explanation.
Yang & Xu, no need to resend the patch. I'll take your v1 version.
Thanks!
Helge
> (kernfs ensures it is, but it's a dangerous thing to rely on in the
> face of someone trying to exploit a stack smashing attack).
>
> James
>
Powered by blists - more mailing lists