From: Al Viro <viro@ZenIV.linux.org.uk>
To: Julia Lawall <julia.lawall@lip6.fr>
Cc: simran singhal <singhalsimran0@gmail.com>,
gregkh@linuxfoundation.org, arve@android.com,
riandrews@android.com, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org, outreachy-kernel@googlegroups.com
Subject: Re: [Outreachy kernel] [PATCH] staging: android: Replace strcpy with strlcpy
Date: Sun, 12 Mar 2017 01:11:40 +0000 [thread overview]
Message-ID: <20170312011135.GM29622@ZenIV.linux.org.uk> (raw)
In-Reply-To: <alpine.DEB.2.20.1703112147110.2270@hadrien>
On Sat, Mar 11, 2017 at 09:47:30PM +0100, Julia Lawall wrote:
>
>
> On Sun, 12 Mar 2017, simran singhal wrote:
>
> > Replace strcpy with strlcpy as strcpy does not check for buffer
> > overflow.
> > This is found using Flawfinder.
> >
> > Signed-off-by: simran singhal <singhalsimran0@gmail.com>
> > ---
> > drivers/staging/android/ashmem.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
> > index 7cbad0d..eb2f4ef 100644
> > --- a/drivers/staging/android/ashmem.c
> > +++ b/drivers/staging/android/ashmem.c
> > @@ -548,7 +548,8 @@ static int set_name(struct ashmem_area *asma, void __user *name)
> > if (unlikely(asma->file))
> > ret = -EINVAL;
> > else
> > - strcpy(asma->name + ASHMEM_NAME_PREFIX_LEN, local_name);
> > + strlcpy(asma->name + ASHMEM_NAME_PREFIX_LEN, local_name,
> > + sizeof(asma->name + ASHMEM_NAME_PREFIX_LEN));
>
> There is a parenthesis in the wrong place.
Worse - moving parenthesis to just after asma->name would result in
interestingly bogus value (size + amount skipped instead of size -
amount skipped).
Folks, blind changes in name of security are seriously counterproductive;
fortunately, in this particular case overflow prevention is taken care
of by earlier code (source of strcpy is a local array of size that
isn't enough to cause trouble and it is NUL-terminated), so that
particular strlcpy() is simply pointless, but if not for that...
Variant with sizeof(asma->name) + ASHMEM_NAME_PREFIX_LEN would've
invited an overflow *and* made it harder to spot in the future -
"it uses strlcpy, no worries about overflows here"...
next prev parent reply other threads:[~2017-03-12 6:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-11 20:40 [PATCH] staging: android: Replace strcpy with strlcpy simran singhal
2017-03-11 20:47 ` [Outreachy kernel] " Julia Lawall
2017-03-12 1:11 ` Al Viro [this message]
2017-03-12 0:59 ` Al Viro
2017-03-13 12:41 ` Dan Carpenter
2017-03-13 12:47 ` SIMRAN SINGHAL
2017-03-13 12:57 ` Dan Carpenter
2017-03-13 13:14 ` SIMRAN SINGHAL
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170312011135.GM29622@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=julia.lawall@lip6.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=outreachy-kernel@googlegroups.com \
--cc=riandrews@android.com \
--cc=singhalsimran0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.