lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240410021833.work.750-kees@kernel.org>
Date: Tue,  9 Apr 2024 19:31:49 -0700
From: Kees Cook <keescook@...omium.org>
To: "Martin K . Petersen" <martin.petersen@...cle.com>
Cc: Kees Cook <keescook@...omium.org>,
	Charles Bertsch <cbertsch@....net>,
	Justin Stitt <justinstitt@...gle.com>,
	Bart Van Assche <bvanassche@....org>,
	Andy Shevchenko <andy@...nel.org>,
	Sathya Prakash <sathya.prakash@...adcom.com>,
	Sreekanth Reddy <sreekanth.reddy@...adcom.com>,
	Suganath Prabu Subramani <suganath-prabu.subramani@...adcom.com>,
	"James E.J. Bottomley" <jejb@...ux.ibm.com>,
	Kashyap Desai <kashyap.desai@...adcom.com>,
	Sumit Saxena <sumit.saxena@...adcom.com>,
	Nilesh Javali <njavali@...vell.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Himanshu Madhani <himanshu.madhani@...cle.com>,
	linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org,
	MPT-FusionLinux.pdl@...adcom.com,
	linux-scsi@...r.kernel.org,
	mpi3mr-linuxdrv.pdl@...adcom.com,
	GR-QLogic-Storage-Upstream@...vell.com
Subject: [PATCH 0/5] scsi: Avoid possible run-time warning with long manufacturer strings

Hi,

Another code pattern using the gloriously ambiguous strncpy() function was
turning maybe not-NUL-terminated character arrays into NUL-terminated
strings. In these cases, when strncpy() is replaced with strscpy()
it creates a situation where if the non-terminated string takes up the
entire character array (i.e. it is not terminated) run-time warnings
from CONFIG_FORTIFY_SOURCE will trip, since strscpy() was expecting to
find a NUL-terminated source but checking for the NUL would walk off
the end of the source buffer.

In doing an instrumented build of the kernel to find these cases, it
seems it was almost entirely a code pattern used in the SCSI subsystem,
so the creation of the new helper, memtostr(), can land via the SCSI
tree. And, as it turns out, inappropriate conversions have been happening
for several years now, some of which even moved through strlcpy() first
(and were never noticed either).

This series fixes all 4 of the instances I could find in the SCSI
subsystem.

Thanks,

-Kees

Kees Cook (5):
  string.h: Introduce memtostr() and memtostr_pad()
  scsi: mptfusion: Avoid possible run-time warning with long
    manufacturer strings
  scsi: mpt3sas: Avoid possible run-time warning with long manufacturer
    strings
  scsi: mpi3mr: Avoid possible run-time warning with long manufacturer
    strings
  scsi: qla2xxx: Avoid possible run-time warning with long model_num

 drivers/message/fusion/mptsas.c          | 14 +++----
 drivers/scsi/mpi3mr/mpi3mr_transport.c   | 14 +++----
 drivers/scsi/mpt3sas/mpt3sas_base.c      |  2 +-
 drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 +++----
 drivers/scsi/qla2xxx/qla_mr.c            |  6 +--
 include/linux/string.h                   | 49 ++++++++++++++++++++++++
 lib/strscpy_kunit.c                      | 26 +++++++++++++
 7 files changed, 93 insertions(+), 32 deletions(-)

-- 
2.34.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ