| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240410021833.work.750-kees@kernel.org>
Date: Tue, 9 Apr 2024 19:31:49 -0700
From: Kees Cook <keescook@...omium.org>
To: "Martin K . Petersen" <martin.petersen@...cle.com>
Cc: Kees Cook <keescook@...omium.org>,
Charles Bertsch <cbertsch@....net>,
Justin Stitt <justinstitt@...gle.com>,
Bart Van Assche <bvanassche@....org>,
Andy Shevchenko <andy@...nel.org>,
Sathya Prakash <sathya.prakash@...adcom.com>,
Sreekanth Reddy <sreekanth.reddy@...adcom.com>,
Suganath Prabu Subramani <suganath-prabu.subramani@...adcom.com>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
Kashyap Desai <kashyap.desai@...adcom.com>,
Sumit Saxena <sumit.saxena@...adcom.com>,
Nilesh Javali <njavali@...vell.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Himanshu Madhani <himanshu.madhani@...cle.com>,
linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org,
MPT-FusionLinux.pdl@...adcom.com,
linux-scsi@...r.kernel.org,
mpi3mr-linuxdrv.pdl@...adcom.com,
GR-QLogic-Storage-Upstream@...vell.com
Subject: [PATCH 0/5] scsi: Avoid possible run-time warning with long manufacturer strings
Hi,
Another code pattern using the gloriously ambiguous strncpy() function was
turning maybe not-NUL-terminated character arrays into NUL-terminated
strings. In these cases, when strncpy() is replaced with strscpy()
it creates a situation where if the non-terminated string takes up the
entire character array (i.e. it is not terminated) run-time warnings
from CONFIG_FORTIFY_SOURCE will trip, since strscpy() was expecting to
find a NUL-terminated source but checking for the NUL would walk off
the end of the source buffer.
In doing an instrumented build of the kernel to find these cases, it
seems it was almost entirely a code pattern used in the SCSI subsystem,
so the creation of the new helper, memtostr(), can land via the SCSI
tree. And, as it turns out, inappropriate conversions have been happening
for several years now, some of which even moved through strlcpy() first
(and were never noticed either).
This series fixes all 4 of the instances I could find in the SCSI
subsystem.
Thanks,
-Kees
Kees Cook (5):
string.h: Introduce memtostr() and memtostr_pad()
scsi: mptfusion: Avoid possible run-time warning with long
manufacturer strings
scsi: mpt3sas: Avoid possible run-time warning with long manufacturer
strings
scsi: mpi3mr: Avoid possible run-time warning with long manufacturer
strings
scsi: qla2xxx: Avoid possible run-time warning with long model_num
drivers/message/fusion/mptsas.c | 14 +++----
drivers/scsi/mpi3mr/mpi3mr_transport.c | 14 +++----
drivers/scsi/mpt3sas/mpt3sas_base.c | 2 +-
drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 +++----
drivers/scsi/qla2xxx/qla_mr.c | 6 +--
include/linux/string.h | 49 ++++++++++++++++++++++++
lib/strscpy_kunit.c | 26 +++++++++++++
7 files changed, 93 insertions(+), 32 deletions(-)
--
2.34.1
Powered by blists - more mailing lists