From: Ingo Molnar <mingo@kernel.org>
To: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>
Subject: Re: [PATCH] string: Fix strscpy() uninitialized data copy bug
Date: Tue, 6 Oct 2015 09:21:51 +0200 [thread overview]
Message-ID: <20151006072151.GA10672@gmail.com> (raw)
In-Reply-To: <5612C749.8090308@ezchip.com>
* Chris Metcalf <cmetcalf@ezchip.com> wrote:
> Unfortunately using memset() like that will break on big-endian machines.
doh ... and I somehow convinced myself that it was endian safe ;-)
> [...] I always have to go back and play around with the word-at-a-time.h
> definitions to get this right, but I think it's possible that the "data" itself
> has the mask to clear the unwanted bytes, i.e. you could do something like the
> following (untested).
>
> I'm still not totally convinced it's necessary, as programmers should generally
> assume anything beyond the end of a copied string is garbage anyway, and since
> we're not copying it to userspace we're not exposing any possibly secure data.
>
> Races shouldn't be a concern either since, after all, there is already a window
> where we may have overwritten the NUL end of an earlier shorter string, and now
> a racy copy from the partially-written dest buf could walk right off the end of
> the buffer itself, so you'd already better not be doing that.
>
> But, all that said, I'm not opposed to a simple fix to avoid carrying along the
> uninitialized bytes from beyond the end of the source string, since it does seem
> a bit cleaner, even if I can't put my finger in a reason why it would actually
> matter.
So it would matter for more advanced sharing ABIs: for example if there's an
mlock()-ed area registered on the kernel side as well as kernel accessible memory,
and if we do an strscpy() to such a target area, we don't want to leak
uninitialized data to user-space.
(This is not theoretical, the perf ring-buffer is such a construct for example.)
So IMHO this is a quality of implementation issue that we should fix.
> diff --git a/lib/string.c b/lib/string.c
> index 8dbb7b1eab50..ba64f4e0382d 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -203,12 +203,13 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
> unsigned long c, data;
> c = *(unsigned long *)(src+res);
> - *(unsigned long *)(dest+res) = c;
> if (has_zero(c, &data, &constants)) {
> data = prep_zero_mask(c, data, &constants);
> data = create_zero_mask(data);
> + *(unsigned long *)(dest+res) = c & data;
> return res + find_zero(data);
> }
> + *(unsigned long *)(dest+res) = c;
> res += sizeof(unsigned long);
> count -= sizeof(unsigned long);
> max -= sizeof(unsigned long);
Looks good to me!
Thanks,
Ingo
next prev parent reply other threads:[~2015-10-06 7:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-05 15:38 [PATCH] string: Improve the generic strlcpy() implementation Alexey Dobriyan
2015-10-05 16:11 ` Ingo Molnar
2015-10-05 16:13 ` Ingo Molnar
[not found] ` <CA+55aFyTVJfCt00gYJpiQW5kqPaRGJ93JmfRRni-73zCf5ivqg@mail.gmail.com>
2015-10-05 16:22 ` Ingo Molnar
2015-10-05 16:28 ` Ingo Molnar
2015-10-05 16:36 ` [PATCH] string: Fix strscpy() uninitialized data copy bug Ingo Molnar
2015-10-05 18:54 ` Chris Metcalf
2015-10-06 7:21 ` Ingo Molnar [this message]
2015-10-05 20:40 ` [PATCH] string: Improve the generic strlcpy() implementation Linus Torvalds
2015-10-06 16:47 ` [PATCH] strscpy: zero any trailing garbage bytes in the destination Chris Metcalf
2015-10-06 16:59 ` kbuild test robot
2015-10-06 17:34 ` Chris Metcalf
2015-10-07 7:28 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151006072151.GA10672@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=adobriyan@gmail.com \
--cc=bp@alien8.de \
--cc=cmetcalf@ezchip.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.