From: Michael Ellerman <mpe@ellerman.id.au>
To: Jann Horn <jannh@google.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
kernel list <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH] seq_buf: Make seq_buf_puts() NULL terminate the buffer
Date: Fri, 19 Oct 2018 15:17:48 +1100 [thread overview]
Message-ID: <87sh12vac3.fsf@concordia.ellerman.id.au> (raw)
In-Reply-To: <CAG48ez2W8HeJcuPwA25vSqTco3B=CRzycSA0=--pG=7jWi3pPw@mail.gmail.com>
Jann Horn <jannh@google.com> writes:
> On Wed, Oct 17, 2018 at 2:10 PM Michael Ellerman <mpe@ellerman.id.au> wrote:
>> Currently seq_buf_puts() will happily create a non NULL terminated
>> string for you in the buffer. This is particularly dangerous if the
>> buffer is on the stack.
>>
>> For example:
>>
>> char buf[8];
>> char secret = "secret";
>> struct seq_buf s;
>>
>> seq_buf_init(&s, buf, sizeof(buf));
>> seq_buf_puts(&s, "foo");
>> printk("Message is %s\n", buf);
>>
>> Can result in:
>>
>> Message is fooªªªªªsecret
>>
>> We could require all users to memset() their buffer to NULL before
>> use. But that seems likely to be forgotten and lead to bugs.
>>
>> Instead we can change seq_buf_puts() to always leave the buffer in a
>> NULL terminated state.
>>
>> The only downside is that this makes the buffer 1 character smaller
>> for seq_buf_puts(), but that seems like a good trade off.
>
> After this, you can also simplify rdt_last_cmd_status_show(), right?
Yes.
We also have a seq_buf_printf() in powerpc code that is printing a fixed
string purely to get NULL termination, so that can become a
seq_buf_puts().
>> diff --git a/lib/seq_buf.c b/lib/seq_buf.c
>> index 11f2ae0f9099..b1570204cde3 100644
>> --- a/lib/seq_buf.c
>> +++ b/lib/seq_buf.c
>> @@ -144,9 +144,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str)
>>
>> WARN_ON(s->size == 0);
>>
>> + /* Add 1 to len for the trailing NULL which must be there */
>
> Nit: In the comments, I would prefer either "null byte" or "NUL"
> instead of "NULL" when talking about something that is not a pointer.
Hmm yeah I guess. I think of them as being more or less the same thing,
or at least interchangeable, but that's a bit sloppy.
I'll send a v2 with "null byte".
>> + len += 1;
>
> It looks like you're using an "unsigned int" for the length, meaning
> that this can in theory (e.g. when operating on a string from a big
> vmalloc buffer) overflow. You should be using size_t here.
Yes you're right.
And if len overflows to zero above ..
>> if (seq_buf_can_fit(s, len)) {
This will return true.
>> memcpy(s->buffer + s->len, str, len);
>> - s->len += len;
>> + /* Don't count the trailing NULL against the capacity */
>> + s->len += len - 1;
And then here s->len becomes UINT_MAX.
I think. Which is probably not what we want.
I'll send a patch to switch to size_t in there.
cheers
next prev parent reply other threads:[~2018-10-19 4:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-17 12:10 [PATCH] seq_buf: Make seq_buf_puts() NULL terminate the buffer Michael Ellerman
2018-10-17 12:26 ` Jann Horn
2018-10-17 12:42 ` Steven Rostedt
2018-10-19 4:17 ` Michael Ellerman [this message]
2018-10-17 14:48 ` Steven Rostedt
2018-10-19 0:35 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sh12vac3.fsf@concordia.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=jannh@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).