lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZZhtK6vjk5UD7pxi@kbusch-mbp>
Date: Fri, 5 Jan 2024 13:57:15 -0700
From: Keith Busch <kbusch@...nel.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Arnd Bergmann <arnd@...nel.org>, Christoph Hellwig <hch@....de>,
	Sagi Grimberg <sagi@...mberg.me>,
	Chaitanya Kulkarni <kch@...dia.com>, linux-nvme@...ts.infradead.org,
	linux-kernel@...r.kernel.org, Daniel Wagner <dwagner@...e.de>,
	Hannes Reinecke <hare@...e.de>
Subject: Re: [PATCH 1/2] nvmet: re-fix tracing strncpy() warning

On Fri, Jan 05, 2024 at 09:36:38PM +0100, Arnd Bergmann wrote:
> On Fri, Jan 5, 2024, at 21:24, Keith Busch wrote:
> > On Wed, Jan 03, 2024 at 04:56:55PM +0100, Arnd Bergmann wrote:
> >> @@ -53,8 +53,7 @@ static inline void __assign_req_name(char *name, struct nvmet_req *req)
> >>  		return;
> >>  	}
> >>  
> >> -	strncpy(name, req->ns->device_path,
> >> -		min_t(size_t, DISK_NAME_LEN, strlen(req->ns->device_path)));
> >> +	strscpy_pad(name, req->ns->device_path, DISK_NAME_LEN);
> >>  }
> >
> > I like this one, however Daniel has a different fix for this already
> > staged in nvme-6.8:
> >
> >  
> > https://git.infradead.org/nvme.git/commitdiff/8f6c0eec5fad13785fd53a5b3b5f8b97b722a2a3
> 
> +       snprintf(name,
> +                min_t(size_t, DISK_NAME_LEN, strlen(req->ns->device_path) + 1),
> +                "%s", req->ns->device_path);
> 
> Don't we still need the zero-padding here to avoid leaking
> kernel data to userspace?

I'm not sure. This potentially leaves trace buffer memory uninitialized
after the string, but isn't the trace buffer user accessible when it was
initially allocated?

For correctness, though, yes, I think you're right so I may just back
out this one and replace with yours since we haven't sent a recent 6.8
pull request yet.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ