* + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree
@ 2014-04-14 21:47 akpm
2014-04-15 10:49 ` Alexey Dobriyan
0 siblings, 1 reply; 4+ messages in thread
From: akpm @ 2014-04-14 21:47 UTC (permalink / raw)
To: mm-commits, vegard.nossum, dan.carpenter
Subject: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree
To: dan.carpenter@oracle.com,vegard.nossum@gmail.com
From: akpm@linux-foundation.org
Date: Mon, 14 Apr 2014 14:47:03 -0700
The patch titled
Subject: lib/string.c: strlcpy() might read too far
has been added to the -mm tree. Its filename is
lib-stringc-strlcpy-might-read-too-far.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/lib-stringc-strlcpy-might-read-too-far.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/lib-stringc-strlcpy-might-read-too-far.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: lib/string.c: strlcpy() might read too far
Imagine you have a user controlled variable at the end of a struct which
is allocated at the end of a page. The strlen() could read beyond the
mapped memory and cause an oops.
Probably there are two reasons why we have never hit this condition in
real life. First you would have to be really unlucky for all the
variables to line up so the oops can happen. Second we don't do a lot of
fuzzing with invalid strings.
The strnlen() call is obviously a little bit slower than strlen() but I
have tested it and I think it's probably ok.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
lib/string.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN lib/string.c~lib-stringc-strlcpy-might-read-too-far lib/string.c
--- a/lib/string.c~lib-stringc-strlcpy-might-read-too-far
+++ a/lib/string.c
@@ -148,10 +148,10 @@ EXPORT_SYMBOL(strncpy);
*/
size_t strlcpy(char *dest, const char *src, size_t size)
{
- size_t ret = strlen(src);
+ size_t ret = strnlen(src, size);
if (size) {
- size_t len = (ret >= size) ? size - 1 : ret;
+ size_t len = (ret < size) ? ret : ret - 1;
memcpy(dest, src, len);
dest[len] = '\0';
}
_
Patches currently in -mm which might be from dan.carpenter@oracle.com are
lib-stringc-use-the-name-c-string-in-comments.patch
lib-stringc-strlcpy-might-read-too-far.patch
linux-next.patch
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree
2014-04-14 21:47 + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree akpm
@ 2014-04-15 10:49 ` Alexey Dobriyan
2014-04-15 11:18 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Alexey Dobriyan @ 2014-04-15 10:49 UTC (permalink / raw)
To: Linux Kernel; +Cc: Vegard Nossum, Dan Carpenter, Andrew Morton
On Tue, Apr 15, 2014 at 12:47 AM, <akpm@linux-foundation.org> wrote:
> Subject: lib/string.c: strlcpy() might read too far
>
> Imagine you have a user controlled variable at the end of a struct which
> is allocated at the end of a page. The strlen() could read beyond the
> mapped memory and cause an oops.
>
> Probably there are two reasons why we have never hit this condition in
> real life. First you would have to be really unlucky for all the
> variables to line up so the oops can happen. Second we don't do a lot of
> fuzzing with invalid strings.
>
> The strnlen() call is obviously a little bit slower than strlen() but I
> have tested it and I think it's probably ok.
> --- a/lib/string.c~lib-stringc-strlcpy-might-read-too-far
> +++ a/lib/string.c
> @@ -148,10 +148,10 @@ EXPORT_SYMBOL(strncpy);
> */
> size_t strlcpy(char *dest, const char *src, size_t size)
> {
> - size_t ret = strlen(src);
> + size_t ret = strnlen(src, size);
>
> if (size) {
> - size_t len = (ret >= size) ? size - 1 : ret;
> + size_t len = (ret < size) ? ret : ret - 1;
> memcpy(dest, src, len);
> dest[len] = '\0';
> }
Return value matters. It may not matter for kernel, because kernel is
not heavy string user.
But it is better to not diverge from master code:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/strlcpy.c?rev=1.11
Counter-rationale:
* strlcpy() accepts strings, so if you're giving raw buffer you're
doing it wrong.
* last byte of last page argument is bogus because kernel copies data
from userspace first.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree
2014-04-15 10:49 ` Alexey Dobriyan
@ 2014-04-15 11:18 ` Dan Carpenter
2014-04-15 11:36 ` Alexey Dobriyan
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2014-04-15 11:18 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: Linux Kernel, Vegard Nossum, Andrew Morton
On Tue, Apr 15, 2014 at 01:49:38PM +0300, Alexey Dobriyan wrote:
> Return value matters. It may not matter for kernel, because kernel is
> not heavy string user.
> But it is better to not diverge from master code:
> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/strlcpy.c?rev=1.11
>
Oh... Hm. Maybe we should drop this patch then.
> Counter-rationale:
> * strlcpy() accepts strings, so if you're giving raw buffer you're
> doing it wrong.
> * last byte of last page argument is bogus because kernel copies data
> from userspace first.
The last byte of the page argument seems possible:
foo = kmalloc();
copy_from_user(foo, arg, sizeof(foo));
strlcpy(dest.str, foo->bar, sizeof(dest.str));
It's a very unlikely scenario. You have to be very unlucky to hit it at
all.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree
2014-04-15 11:18 ` Dan Carpenter
@ 2014-04-15 11:36 ` Alexey Dobriyan
0 siblings, 0 replies; 4+ messages in thread
From: Alexey Dobriyan @ 2014-04-15 11:36 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Linux Kernel, Vegard Nossum, Andrew Morton
On Tue, Apr 15, 2014 at 2:18 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On Tue, Apr 15, 2014 at 01:49:38PM +0300, Alexey Dobriyan wrote:
>> Return value matters. It may not matter for kernel, because kernel is
>> not heavy string user.
>> But it is better to not diverge from master code:
>> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/strlcpy.c?rev=1.11
>>
>
> Oh... Hm. Maybe we should drop this patch then.
>
>> Counter-rationale:
>> * strlcpy() accepts strings, so if you're giving raw buffer you're
>> doing it wrong.
>> * last byte of last page argument is bogus because kernel copies data
>> from userspace first.
>
> The last byte of the page argument seems possible:
>
> foo = kmalloc();
> copy_from_user(foo, arg, sizeof(foo));
Correct code would do
foo->bar[sizeof(foo->bar)-1] = '\0';
if this field is a string.
> strlcpy(dest.str, foo->bar, sizeof(dest.str));
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-15 11:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-14 21:47 + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree akpm
2014-04-15 10:49 ` Alexey Dobriyan
2014-04-15 11:18 ` Dan Carpenter
2014-04-15 11:36 ` Alexey Dobriyan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.