From: Joseph Qi <joseph.qi@linux.alibaba.com>
To: "Valentin Vidić" <vvidic@valentin-vidic.from.hr>
Cc: Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ocfs2: mount fails with buffer overflow in strlen
Date: Wed, 29 Sep 2021 17:12:50 +0800 [thread overview]
Message-ID: <1ab61ba3-8c9b-092c-7843-9c45b58e3987@linux.alibaba.com> (raw)
In-Reply-To: <20210929062434.GN28341@valentin-vidic.from.hr>
On 9/29/21 2:24 PM, Valentin Vidić wrote:
> On Wed, Sep 29, 2021 at 10:38:59AM +0800, Joseph Qi wrote:
>> Okay, you are right, strlen(src) is indeed wrong here.
>>
>> But please note that in strlcpy():
>> size_t ret = strlen(src);
>> if (size) {
>> size_t len = (ret >= size) ? size - 1 : ret;
>> memcpy(dest, src, len);
>> dest[len] = '\0';
>> }
>>
>> Take ci_stack "o2cb" for example, strlen("o2cb") may return wrong if the
>> coming byte is not null, say it is 10.
>> The input size is 5, so len will finally be 4.
>> So dest is still correct ending with null byte. No overflow happens.
>> So the problem here is the wrong return value, but it is discarded in
>> ocfs2_initialize_super().
>
> strlcpy starts with a call to strlen(src) and this is where the read overflow
> happens. If the kernel is compiled with CONFIG_FORTIFY_SOURCE this gets
> executed instead (include/linux/fortify-string.h):
>
> __FORTIFY_INLINE __kernel_size_t strlen(const char *p)
> {
> __kernel_size_t ret;
> size_t p_size = __builtin_object_size(p, 1);
>
> /* Work around gcc excess stack consumption issue */
> if (p_size == (size_t)-1 ||
> (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0'))
> return __underlying_strlen(p);
> ret = strnlen(p, p_size);
> if (p_size <= ret)
> fortify_panic(__func__);
> return ret;
> }
>
> So while strlcpy did work before this fortify check, it is probably not the
> best option anymore due to the missing null terminator in the source.
>
Got it, it really triggers panic in strlen().
So could you please update the commit log? I think CONFIG_FORTIFY_SOURCE
is necessary information since it is not default enabled.
And add comments with your changes, e.g.
/*
* ci_stack and ci_cluster in ocfs2_cluster_info may not null
* terminated, make sure no overflow happens here.
*/
BTW, since we use kzalloc to alloc osb, so we don't have to manually
set the last null byte.
Thanks,
Joseph
WARNING: multiple messages have this Message-ID (diff)
From: Joseph Qi <joseph.qi@linux.alibaba.com>
To: "Valentin Vidić" <vvidic@valentin-vidic.from.hr>
Cc: ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org
Subject: Re: [Ocfs2-devel] [PATCH] ocfs2: mount fails with buffer overflow in strlen
Date: Wed, 29 Sep 2021 17:12:50 +0800 [thread overview]
Message-ID: <1ab61ba3-8c9b-092c-7843-9c45b58e3987@linux.alibaba.com> (raw)
In-Reply-To: <20210929062434.GN28341@valentin-vidic.from.hr>
On 9/29/21 2:24 PM, Valentin Vidić wrote:
> On Wed, Sep 29, 2021 at 10:38:59AM +0800, Joseph Qi wrote:
>> Okay, you are right, strlen(src) is indeed wrong here.
>>
>> But please note that in strlcpy():
>> size_t ret = strlen(src);
>> if (size) {
>> size_t len = (ret >= size) ? size - 1 : ret;
>> memcpy(dest, src, len);
>> dest[len] = '\0';
>> }
>>
>> Take ci_stack "o2cb" for example, strlen("o2cb") may return wrong if the
>> coming byte is not null, say it is 10.
>> The input size is 5, so len will finally be 4.
>> So dest is still correct ending with null byte. No overflow happens.
>> So the problem here is the wrong return value, but it is discarded in
>> ocfs2_initialize_super().
>
> strlcpy starts with a call to strlen(src) and this is where the read overflow
> happens. If the kernel is compiled with CONFIG_FORTIFY_SOURCE this gets
> executed instead (include/linux/fortify-string.h):
>
> __FORTIFY_INLINE __kernel_size_t strlen(const char *p)
> {
> __kernel_size_t ret;
> size_t p_size = __builtin_object_size(p, 1);
>
> /* Work around gcc excess stack consumption issue */
> if (p_size == (size_t)-1 ||
> (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0'))
> return __underlying_strlen(p);
> ret = strnlen(p, p_size);
> if (p_size <= ret)
> fortify_panic(__func__);
> return ret;
> }
>
> So while strlcpy did work before this fortify check, it is probably not the
> best option anymore due to the missing null terminator in the source.
>
Got it, it really triggers panic in strlen().
So could you please update the commit log? I think CONFIG_FORTIFY_SOURCE
is necessary information since it is not default enabled.
And add comments with your changes, e.g.
/*
* ci_stack and ci_cluster in ocfs2_cluster_info may not null
* terminated, make sure no overflow happens here.
*/
BTW, since we use kzalloc to alloc osb, so we don't have to manually
set the last null byte.
Thanks,
Joseph
_______________________________________________
Ocfs2-devel mailing list
Ocfs2-devel@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/ocfs2-devel
next prev parent reply other threads:[~2021-09-29 9:12 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-27 15:44 [PATCH] ocfs2: mount fails with buffer overflow in strlen Valentin Vidic
2021-09-27 15:44 ` [Ocfs2-devel] " Valentin Vidic
2021-09-28 12:05 ` Joseph Qi
2021-09-28 12:05 ` [Ocfs2-devel] " Joseph Qi
2021-09-28 13:14 ` Valentin Vidić
2021-09-28 13:14 ` [Ocfs2-devel] " Valentin Vidić
2021-09-29 2:38 ` Joseph Qi
2021-09-29 2:38 ` [Ocfs2-devel] " Joseph Qi
2021-09-29 6:24 ` Valentin Vidić
2021-09-29 6:24 ` [Ocfs2-devel] " Valentin Vidić
2021-09-29 9:12 ` Joseph Qi [this message]
2021-09-29 9:12 ` Joseph Qi
2021-09-29 18:06 ` [PATCH v2] " Valentin Vidic
2021-09-29 18:06 ` [Ocfs2-devel] " Valentin Vidic
2021-09-30 1:54 ` Joseph Qi
2021-09-30 1:54 ` [Ocfs2-devel] " Joseph Qi
2021-10-08 10:46 ` Gang He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ab61ba3-8c9b-092c-7843-9c45b58e3987@linux.alibaba.com \
--to=joseph.qi@linux.alibaba.com \
--cc=jlbec@evilplan.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=ocfs2-devel@oss.oracle.com \
--cc=vvidic@valentin-vidic.from.hr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.