lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <288e65c39f355531c91761b330e530a6336631dd.camel@HansenPartnership.com>
Date: Fri, 03 May 2024 08:36:56 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: David Yang <mmyangfl@...il.com>, linux-block@...r.kernel.org
Cc: Jens Axboe <axboe@...nel.dk>, Xu Panda <xu.panda@....com.cn>, Justin
 Stitt <justinstitt@...gle.com>, Yang Yang <yang.yang29@....com>, 
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] block: fix buf size for strscpy()

On Fri, 2024-05-03 at 15:48 +0800, David Yang wrote:
> strscpy() takes the total size of destination buffer as the argument,
> including the space for the terminating null character.
> 
> The actual length of the buffer should be len(str) + 1, which can be
> seen from the indexes where null characters are written in the code
> before the commit in question, and 'sizeof(buf) - 1' right above
> the problematic codes.
> 
> Without the additional 1 size and the absence of checkes against -
> E2BIG, strscpy() will angrily eat the last character of the source
> string. In my situation, strscpy() will take away one character
> before the comma "," (which is presumably the right bracket ")") in
> parse_parts(), making parse_subpart() unable to 'strchr(++partdef,
> ')')' and producing the following error message:
> 
>   cmdline partition format is invalid.

This is the same problem we brought up with the strscpy conversions in
scsi:

https://lore.kernel.org/all/784db8a20a3ddeb6c0498f2b31719e5198da6581.camel@HansenPartnership.com/

strscpy doesn't correctly replace a function of strncpy we used to get
a zero termination for a possibly unterminated string with a
destination that's one byte larger than the source.  The current
proposed fix is this one:

https://lore.kernel.org/all/20240410021833.work.750-kees@kernel.org/

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ