| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <yhv3rzg6vhgwage27cyvg72t4vwf5x3tdtj3zjipryzvz3u55x@c33q753uxyi3>
Date: Mon, 30 Sep 2024 18:33:41 -0700
From: Justin Stitt <justinstitt@...gle.com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: yang.yang29@....com.cn, mhiramat@...nel.org,
linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org, xu.panda@....com.cn
Subject: Re: [PATCH linux-next] tracing: use strscpy() to instead of strncpy()
Hi Steve,
Can we revisit this patch? see below.
On Tue, Jan 24, 2023 at 12:17:03PM GMT, Steven Rostedt wrote:
> On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
> <yang.yang29@....com.cn> wrote:
>
> > From: Xu Panda <xu.panda@....com.cn>
> >
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
>
> But the string being copied is *not* NUL-terminated! And this change causes
> a bug.
>
> This is the 3rd patch I've seen that blindly converts strncpy() to
> strscpy() and causes a bug in doing so. Not very safe if you ask me.
>
> >
> > Signed-off-by: Xu Panda <xu.panda@....com.cn>
> > Signed-off-by: Yang Yang <yang.yang29@....com.cn>
> > ---
> > kernel/trace/trace_events_synth.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> > index 67592eed0be8..cd636edd045e 100644
> > --- a/kernel/trace/trace_events_synth.c
> > +++ b/kernel/trace/trace_events_synth.c
> > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
> > if (len == 0)
> > return 0; /* variable-length string */
> >
> > - strncpy(buf, start, len);
> > - buf[len] = '\0';
> > + strscpy(buf, start, len + 1);
> >
> > err = kstrtouint(buf, 0, &size);
> > if (err)
>
>
> Here's the code being affected:
>
> static int synth_field_string_size(char *type)
> {
> char buf[4], *end, *start;
> unsigned int len;
> int size, err;
>
> start = strstr(type, "char[");
> if (start == NULL)
> return -EINVAL;
> start += sizeof("char[") - 1;
>
> end = strchr(type, ']');
> if (!end || end < start || type + strlen(type) > end + 1)
> return -EINVAL;
>
> len = end - start;
> if (len > 3)
> return -EINVAL;
>
> if (len == 0)
> return 0; /* variable-length string */
>
> strncpy(buf, start, len);
> buf[len] = '\0';
>
> And you are replacing the above two lines with just:
>
> strscpy(buf, start, len + 1);
>
>
> If you noticed, the string being placed into buf is:
>
> "char[123]"
>
> Where we want to copy that "123" into buf.
>
> strscpy() expects the source to be nul terminated, or it will return -E2BIG.
>
> So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
> if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
> NUL-terminated.
@buf should still be NUL-terminated while returning -E2BIG in this
instance. For context, here's the implementation of strscpy():
...
/* Hit buffer length without finding a NUL; force NUL-termination. */
if (res)
dest[res-1] = '\0';
return -E2BIG;
... and the only other spot where we can return E2BIG is way earlier in
the function where we check the count.
if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
return -E2BIG;
So it seems we should be NUL-terminating @buf in all cases, considering
count is greater than 0 and certainly not larger than INT_MAX. And, with
the `len + 1` we shouldn't be seeing any data loss either.
>
> NACK!
>
> -- Steve
>
I'm keen on replacing this instance of strncpy towards the goal of [1].
If we don't want to use strscpy() I think memcpy() is another viable
alternative (of course leaving the manual NUL-byte assignment as-is).
[1]: https://github.com/KSPP/linux/issues/90
Thanks
Justin
Powered by blists - more mailing lists