linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/1] misc: c2port: core: Make copying name from userspace more secure
@ 2020-07-14  8:32 Lee Jones
  2020-07-14  9:01 ` Arnd Bergmann
  2020-07-23  7:41 ` Greg KH
  0 siblings, 2 replies; 3+ messages in thread
From: Lee Jones @ 2020-07-14  8:32 UTC (permalink / raw)
  To: arnd, gregkh
  Cc: linux-arm-kernel, linux-kernel, Lee Jones, Rodolfo Giometti,
	Eurotech S.p.A, Geert Uytterhoeven

Currently the 'c2dev' device data is not zeroed when its allocated.
Coupled with the fact strncpy() *may not* provide a NUL terminator
means that a 1-byte leak would be possible *if* this was ever copied
to userspace.

To prevent such a failing, let's first ensure the 'c2dev' device data
area is fully zeroed out and ensure the buffer will always be NUL
terminated by using the kernel's strscpy() which a) uses the
destination (instead of the source) size as the bytes to copy and b)
is *always* NUL terminated.

Cc: Rodolfo Giometti <giometti@enneenne.com>
Cc: "Eurotech S.p.A" <info@eurotech.it>
Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
---
 drivers/misc/c2port/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
index 80d87e8a0bea9..0de538a1cc1c6 100644
--- a/drivers/misc/c2port/core.c
+++ b/drivers/misc/c2port/core.c
@@ -899,7 +899,7 @@ struct c2port_device *c2port_device_register(char *name,
 		unlikely(!ops->c2d_get) || unlikely(!ops->c2d_set))
 		return ERR_PTR(-EINVAL);
 
-	c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL);
+	c2dev = kzalloc(sizeof(struct c2port_device), GFP_KERNEL);
 	if (unlikely(!c2dev))
 		return ERR_PTR(-ENOMEM);
 
@@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name,
 	}
 	dev_set_drvdata(c2dev->dev, c2dev);
 
-	strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1);
+	strscpy(c2dev->name, name, sizeof(c2dev->name));
 	c2dev->ops = ops;
 	mutex_init(&c2dev->mutex);
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] misc: c2port: core: Make copying name from userspace more secure
  2020-07-14  8:32 [PATCH 1/1] misc: c2port: core: Make copying name from userspace more secure Lee Jones
@ 2020-07-14  9:01 ` Arnd Bergmann
  2020-07-23  7:41 ` Greg KH
  1 sibling, 0 replies; 3+ messages in thread
From: Arnd Bergmann @ 2020-07-14  9:01 UTC (permalink / raw)
  To: Lee Jones
  Cc: gregkh, Linux ARM, linux-kernel, Rodolfo Giometti,
	Eurotech S.p.A, Geert Uytterhoeven

On Tue, Jul 14, 2020 at 10:33 AM Lee Jones <lee.jones@linaro.org> wrote:
>
> Currently the 'c2dev' device data is not zeroed when its allocated.
> Coupled with the fact strncpy() *may not* provide a NUL terminator
> means that a 1-byte leak would be possible *if* this was ever copied
> to userspace.
>
> To prevent such a failing, let's first ensure the 'c2dev' device data
> area is fully zeroed out and ensure the buffer will always be NUL
> terminated by using the kernel's strscpy() which a) uses the
> destination (instead of the source) size as the bytes to copy and b)
> is *always* NUL terminated.
>
> Cc: Rodolfo Giometti <giometti@enneenne.com>
> Cc: "Eurotech S.p.A" <info@eurotech.it>
> Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>

Acked-by: Arnd Bergmann <arnd@arndb.de>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] misc: c2port: core: Make copying name from userspace more secure
  2020-07-14  8:32 [PATCH 1/1] misc: c2port: core: Make copying name from userspace more secure Lee Jones
  2020-07-14  9:01 ` Arnd Bergmann
@ 2020-07-23  7:41 ` Greg KH
  1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2020-07-23  7:41 UTC (permalink / raw)
  To: Lee Jones
  Cc: arnd, linux-arm-kernel, linux-kernel, Rodolfo Giometti,
	Eurotech S.p.A, Geert Uytterhoeven

On Tue, Jul 14, 2020 at 09:32:59AM +0100, Lee Jones wrote:
> Currently the 'c2dev' device data is not zeroed when its allocated.
> Coupled with the fact strncpy() *may not* provide a NUL terminator
> means that a 1-byte leak would be possible *if* this was ever copied
> to userspace.

c2dev is a kernel internal structure, it is never copied to userspace,
so why even mention such a thing?

> To prevent such a failing, let's first ensure the 'c2dev' device data
> area is fully zeroed out and ensure the buffer will always be NUL
> terminated by using the kernel's strscpy() which a) uses the
> destination (instead of the source) size as the bytes to copy and b)
> is *always* NUL terminated.
> 
> Cc: Rodolfo Giometti <giometti@enneenne.com>
> Cc: "Eurotech S.p.A" <info@eurotech.it>
> Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> ---
>  drivers/misc/c2port/core.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
> index 80d87e8a0bea9..0de538a1cc1c6 100644
> --- a/drivers/misc/c2port/core.c
> +++ b/drivers/misc/c2port/core.c
> @@ -899,7 +899,7 @@ struct c2port_device *c2port_device_register(char *name,
>  		unlikely(!ops->c2d_get) || unlikely(!ops->c2d_set))
>  		return ERR_PTR(-EINVAL);
>  
> -	c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL);
> +	c2dev = kzalloc(sizeof(struct c2port_device), GFP_KERNEL);

All fields seem to be properly initialized so this really isn't needed
from what I can tell.

>  	if (unlikely(!c2dev))
>  		return ERR_PTR(-ENOMEM);
>  
> @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name,
>  	}
>  	dev_set_drvdata(c2dev->dev, c2dev);
>  
> -	strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1);
> +	strscpy(c2dev->name, name, sizeof(c2dev->name));

Given there is only 1 user of this function, and it passes in "uc", this
isn't a big deal :)

But, I can take this as a separate patch, if you want to redo this, just
to be safe in the future.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-07-23  7:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-14  8:32 [PATCH 1/1] misc: c2port: core: Make copying name from userspace more secure Lee Jones
2020-07-14  9:01 ` Arnd Bergmann
2020-07-23  7:41 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).