| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Jun 2023 12:34:38 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Hao Lan <lanhao@...wei.com>, netdev@...r.kernel.org
Cc: yisen.zhuang@...wei.com, salil.mehta@...wei.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, richardcochran@...il.com,
wangpeiyang1@...wei.com, shenjian15@...wei.com, chenhao418@...wei.com,
simon.horman@...igine.com, wangjie125@...wei.com, yuanjilin@...rlc.com,
cai.huoqing@...ux.dev, xiujianfeng@...wei.com
Subject: Re: [PATCH net-next v2 3/4] net: hns3: fix strncpy() not using
dest-buf length as length issue
On Mon, 2023-06-12 at 20:23 +0800, Hao Lan wrote:
> From: Hao Chen <chenhao418@...wei.com>
>
> Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length,
> it may result in dest-buf overflow.
>
> This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0
> compiler.
>
> The warning reports as below:
>
> hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on
> the length of the source argument [-Wstringop-truncation]
>
> strncpy(pos, items[i].name, strlen(items[i].name));
>
> hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before
> terminating nul copying as many bytes from a string as its length
> [-Wstringop-truncation]
>
> strncpy(pos, result[i], strlen(result[i]));
>
> strncpy() use src-length as copy-length, it may result in
> dest-buf overflow.
>
> So,this patch add some values check to avoid this issue.
>
> ChangeLog:
> v1->v2:
> Use strcpy substitutes for memcpy
> suggested by Simon Horman.
>
> Signed-off-by: Hao Chen <chenhao418@...wei.com>
> Reported-by: kernel test robot <lkp@...el.com>
> Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/
> Signed-off-by: Hao Lan <lanhao@...wei.com>
> ---
> .../ethernet/hisilicon/hns3/hns3_debugfs.c | 31 ++++++++++++++-----
> .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 29 ++++++++++++++---
> 2 files changed, 48 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
> index d385ffc21876..0749515e270b 100644
> --- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
> +++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
> @@ -438,19 +438,36 @@ static void hns3_dbg_fill_content(char *content, u16 len,
> const struct hns3_dbg_item *items,
> const char **result, u16 size)
> {
> +#define HNS3_DBG_LINE_END_LEN 2
IMHO this macro should be defined outside the function (just before)
for better readability.
> char *pos = content;
> + u16 item_len;
> u16 i;
>
> + if (!len) {
> + return;
> + } else if (len <= HNS3_DBG_LINE_END_LEN) {
> + *pos++ = '\0';
> + return;
> + }
> +
> memset(content, ' ', len);
> - for (i = 0; i < size; i++) {
> - if (result)
> - strncpy(pos, result[i], strlen(result[i]));
> - else
> - strncpy(pos, items[i].name, strlen(items[i].name));
> + len -= HNS3_DBG_LINE_END_LEN;
>
> - pos += strlen(items[i].name) + items[i].interval;
> + for (i = 0; i < size; i++) {
> + item_len = strlen(items[i].name) + items[i].interval;
> + if (len < item_len)
> + break;
> +
> + if (result) {
> + if (item_len < strlen(result[i]))
> + break;
> + strcpy(pos, result[i]);
> + } else {
> + strcpy(pos, items[i].name);
> + }
> + pos += item_len;
> + len -= item_len;
I think it would be better using 'strscpy' instead of papering over
more unsecure functions.
Thanks,
Paolo
Powered by blists - more mailing lists