From: Michael Ellerman <mpe@ellerman.id.au>
To: rostedt@goodmis.org
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, jannh@google.com,
keescook@chromium.org
Subject: [PATCH v2 1/2] seq_buf: Make seq_buf_puts() null-terminate the buffer
Date: Fri, 19 Oct 2018 15:21:08 +1100 [thread overview]
Message-ID: <20181019042109.8064-1-mpe@ellerman.id.au> (raw)
Currently seq_buf_puts() will happily create a non null-terminated
string for you in the buffer. This is particularly dangerous if the
buffer is on the stack.
For example:
char buf[8];
char secret = "secret";
struct seq_buf s;
seq_buf_init(&s, buf, sizeof(buf));
seq_buf_puts(&s, "foo");
printk("Message is %s\n", buf);
Can result in:
Message is fooªªªªªsecret
We could require all users to memset() their buffer to zero before
use. But that seems likely to be forgotten and lead to bugs.
Instead we can change seq_buf_puts() to always leave the buffer in a
null-terminated state.
The only downside is that this makes the buffer 1 character smaller
for seq_buf_puts(), but that seems like a good trade off.
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
lib/seq_buf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
v2: Fix NULL/null terminology.
diff --git a/lib/seq_buf.c b/lib/seq_buf.c
index 11f2ae0f9099..6aabb609dd87 100644
--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -144,9 +144,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str)
WARN_ON(s->size == 0);
+ /* Add 1 to len for the trailing null byte which must be there */
+ len += 1;
+
if (seq_buf_can_fit(s, len)) {
memcpy(s->buffer + s->len, str, len);
- s->len += len;
+ /* Don't count the trailing null byte against the capacity */
+ s->len += len - 1;
return 0;
}
seq_buf_set_overflow(s);
--
2.17.2
next reply other threads:[~2018-10-19 4:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-19 4:21 Michael Ellerman [this message]
2018-10-19 4:21 ` [PATCH v2 2/2] seq_buf: Use size_t for len in seq_buf_puts() Michael Ellerman
2018-12-12 11:21 ` [PATCH v2 1/2] seq_buf: Make seq_buf_puts() null-terminate the buffer Michael Ellerman
2018-12-12 13:45 ` Steven Rostedt
2018-12-12 13:50 ` Steven Rostedt
2018-12-18 3:58 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181019042109.8064-1-mpe@ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).