| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231113083544.1685919-1-gal@nvidia.com>
Date: Mon, 13 Nov 2023 10:35:44 +0200
From: Gal Pressman <gal@...dia.com>
To: "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>
CC: <netdev@...r.kernel.org>, Gal Pressman <gal@...dia.com>, Vlad Buslov
<vladbu@...dia.com>
Subject: [PATCH net] net: Fix undefined behavior in netdev name allocation
Cited commit removed the strscpy() call and kept the snprintf() only.
When allocating a netdev, 'res' and 'name' pointers are equal, but
according to POSIX, if copying takes place between objects that overlap
as a result of a call to sprintf() or snprintf(), the results are
undefined.
Add back the strscpy() and use 'buf' as an intermediate buffer.
Fixes: 9a810468126c ("net: reduce indentation of __dev_alloc_name()")
Cc: Jakub Kicinski <kuba@...nel.org>
Reviewed-by: Vlad Buslov <vladbu@...dia.com>
Signed-off-by: Gal Pressman <gal@...dia.com>
---
net/core/dev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 0d548431f3fa..af53f6d838ce 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1119,7 +1119,9 @@ static int __dev_alloc_name(struct net *net, const char *name, char *res)
if (i == max_netdevices)
return -ENFILE;
- snprintf(res, IFNAMSIZ, name, i);
+ /* 'res' and 'name' could overlap, use 'buf' as an intermediate buffer */
+ strscpy(buf, name, IFNAMSIZ);
+ snprintf(res, IFNAMSIZ, buf, i);
return i;
}
--
2.40.1
Powered by blists - more mailing lists