| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Aug 2023 18:25:55 -0700
From: Justin Stitt <justinstitt@...gle.com>
To: Kees Cook <kees@...nel.org>
Cc: Stanislav Yakovlev <stas.yakovlev@...il.com>,
Kalle Valo <kvalo@...nel.org>,
Kees Cook <keescook@...omium.org>,
linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] wifi: ipw2x00: refactor to use kstrtoul
On Tue, Aug 1, 2023 at 6:16 PM Kees Cook <kees@...nel.org> wrote:
>
> On August 1, 2023 5:51:59 PM PDT, Justin Stitt <justinstitt@...gle.com> wrote:
> >The current implementation seems to reinvent what `kstrtoul` already does
> >in terms of functionality and error handling. Remove uses of `simple_strtoul()`
> >in favor of `kstrtoul()`.
> >
> >There is the following note at `lib/vsprintf.c:simple_strtoull()` which
> >further backs this change:
> >| * This function has caveats. Please use kstrtoull (or kstrtoul) instead.
> >
> >And here, simple_str* are explicitly deprecated [3].
> >
> >This patch also removes an instance of the deprecated `strncpy` which helps [2].
> >
> >Link: https://lore.kernel.org/all/202308011602.3CC1C0244C@keescook/ [1]
> >Link: https://github.com/KSPP/linux/issues/90 [2]
> >Link: https://docs.kernel.org/process/deprecated.html#simple-strtol-simple-strtoll-simple-strtoul-simple-strtoull [3]
> >Cc: linux-hardening@...r.kernel.org
> >Suggested-by: Kees Cook <keescook@...omium.org>
> >Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> >---
> >
> >
> >Link: https://lore.kernel.org/all/20230801-drivers-net-wireless-intel-ipw2x00-v1-1-ffd185c91292@google.com/
> >---
> > drivers/net/wireless/intel/ipw2x00/ipw2200.c | 43 +++++++++-------------------
> > 1 file changed, 14 insertions(+), 29 deletions(-)
> >
> >diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
> >index dfe0f74369e6..ac10633f593e 100644
> >--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c
> >+++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
> >@@ -1176,23 +1176,20 @@ static ssize_t debug_level_show(struct device_driver *d, char *buf)
> > static ssize_t debug_level_store(struct device_driver *d, const char *buf,
> > size_t count)
> > {
> >- char *p = (char *)buf;
> >- u32 val;
> >+ unsigned long *val = NULL;
> >
> >- if (p[1] == 'x' || p[1] == 'X' || p[0] == 'x' || p[0] == 'X') {
> >- p++;
> >- if (p[0] == 'x' || p[0] == 'X')
> >- p++;
> >- val = simple_strtoul(p, &p, 16);
> >- } else
> >- val = simple_strtoul(p, &p, 10);
> >- if (p == buf)
> >+ int result = kstrtoul(buf, 0, val);
>
> kstrtoul needs somewhere to write the value, so val need to be actually unsigned long, and a pointer passed to that:
>
> unsigned long val;
> ...
> ... kstrtoul(but, 0, &val);
>
> But otherwise, yeah, this looks like the right direction to me.
>
> >+
> >+ if (result == -EINVAL)
> > printk(KERN_INFO DRV_NAME
> > ": %s is not in hex or decimal form.\n", buf);
> >+ else if (result == -ERANGE)
> >+ printk(KERN_INFO DRV_NAME
> >+ ": %s has overflowed.\n", buf);
> > else
> >- ipw_debug_level = val;
> >+ ipw_debug_level = *val;
> >
> >- return strnlen(buf, count);
> >+ return count;.
>
> It might be worth mentioning this return value change, but I think it's correct: we're communicating how much was consumed (we consumed it all). When the return value != count, this function may be called again with the "rest" of the input. As this is a sysfs interface, that kind of behavior is very rare bordering on actively unwanted. :) So, I think these should either return a negative error or count.
>
> -Kees
>
> > }
> > static DRIVER_ATTR_RW(debug_level);
> >
> >@@ -1461,33 +1458,21 @@ static ssize_t scan_age_store(struct device *d, struct device_attribute *attr,
> > {
> > struct ipw_priv *priv = dev_get_drvdata(d);
> > struct net_device *dev = priv->net_dev;
> >- char buffer[] = "00000000";
> >- unsigned long len =
> >- (sizeof(buffer) - 1) > count ? count : sizeof(buffer) - 1;
> >- unsigned long val;
> >- char *p = buffer;
> >
> > IPW_DEBUG_INFO("enter\n");
> >
> >- strncpy(buffer, buf, len);
> >- buffer[len] = 0;
> >+ unsigned long *val = NULL;
> >+ int result = kstrtoul(buf, 0, val);
> >
> >- if (p[1] == 'x' || p[1] == 'X' || p[0] == 'x' || p[0] == 'X') {
> >- p++;
> >- if (p[0] == 'x' || p[0] == 'X')
> >- p++;
> >- val = simple_strtoul(p, &p, 16);
> >- } else
> >- val = simple_strtoul(p, &p, 10);
> >- if (p == buffer) {
> >+ if (result == -EINVAL || result == -ERANGE) {
> > IPW_DEBUG_INFO("%s: user supplied invalid value.\n", dev->name);
> > } else {
> >- priv->ieee->scan_age = val;
> >+ priv->ieee->scan_age = *val;
> > IPW_DEBUG_INFO("set scan_age = %u\n", priv->ieee->scan_age);
> > }
> >
> > IPW_DEBUG_INFO("exit\n");
> >- return len;
> >+ return count;
> > }
> >
> > static DEVICE_ATTR_RW(scan_age);
> >
> >---
> >base-commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4
> >change-id: 20230801-wifi-ipw2x00-refactor-fa6deb6c67ea
> >
> >Best regards,
> >--
> >Justin Stitt <justinstitt@...gle.com>
> >
>
>
> --
> Kees Cook
Thanks for the feedback. v2 available here:
https://lore.kernel.org/all/20230802-wifi-ipw2x00-refactor-v2-1-d33f765e9cd5@google.com/
Powered by blists - more mailing lists