From: Dan Carpenter <dan.carpenter@oracle.com>
To: SIMRAN SINGHAL <singhalsimran0@gmail.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
devel@driverdev.osuosl.org,
outreachy-kernel <outreachy-kernel@googlegroups.com>,
arve@android.com, riandrews@android.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: android: Replace strcpy with strlcpy
Date: Mon, 13 Mar 2017 15:57:46 +0300 [thread overview]
Message-ID: <20170313125746.GD4187@mwanda> (raw)
In-Reply-To: <CALrZqyPRjhnpVswEDXqdiP=e+5Z5GKxUqomVXDExpa5thjGuPg@mail.gmail.com>
On Mon, Mar 13, 2017 at 06:17:22PM +0530, SIMRAN SINGHAL wrote:
> On Mon, Mar 13, 2017 at 6:11 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > On Sun, Mar 12, 2017 at 02:10:01AM +0530, simran singhal wrote:
> >> Replace strcpy with strlcpy as strcpy does not check for buffer
> >> overflow.
> >> This is found using Flawfinder.
> >>
> >> Signed-off-by: simran singhal <singhalsimran0@gmail.com>
> >> ---
> >> drivers/staging/android/ashmem.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
> >> index 7cbad0d..eb2f4ef 100644
> >> --- a/drivers/staging/android/ashmem.c
> >> +++ b/drivers/staging/android/ashmem.c
> >> @@ -548,7 +548,8 @@ static int set_name(struct ashmem_area *asma, void __user *name)
> >> if (unlikely(asma->file))
> >> ret = -EINVAL;
> >> else
> >> - strcpy(asma->name + ASHMEM_NAME_PREFIX_LEN, local_name);
> >> + strlcpy(asma->name + ASHMEM_NAME_PREFIX_LEN, local_name,
> >> + sizeof(asma->name + ASHMEM_NAME_PREFIX_LEN));
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > This isn't right.
> >
> > Also please do some analysis to see if it's a real bug or a false
> > positive. It is a false positive in this case.
> >
>
> Dan,
> I have already sent v3 of this in which I have used:
> sizeof(asma->name) - ASHMEM_NAME_PREFIX_LEN
Yeah. I saw that. It's fine, I suppose but you should have done more
analysis to see if it was a real bug like Al and Greg suggested. The
changelog should say something like:
"The destination buffer is 12345 bytes long but we're copying a 10000
character string so it can overflow." Occasionally, I will fudge a
little bit on these changelogs to say that I have looked every where to
determine the size of the source buffer and can't figure it out so this
change makes it easier to audit. But I try to figure it out generally.
Really tools should be able to show that this code is safe. They
currently don't so far as I know, but they should. It's a matter of
waiting a year for Smatch to improve.
regards,
dan carpenter
next prev parent reply other threads:[~2017-03-13 12:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-11 20:40 [PATCH] staging: android: Replace strcpy with strlcpy simran singhal
2017-03-11 20:47 ` [Outreachy kernel] " Julia Lawall
2017-03-12 1:11 ` Al Viro
2017-03-12 0:59 ` Al Viro
2017-03-13 12:41 ` Dan Carpenter
2017-03-13 12:47 ` SIMRAN SINGHAL
2017-03-13 12:57 ` Dan Carpenter [this message]
2017-03-13 13:14 ` SIMRAN SINGHAL
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170313125746.GD4187@mwanda \
--to=dan.carpenter@oracle.com \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=outreachy-kernel@googlegroups.com \
--cc=riandrews@android.com \
--cc=singhalsimran0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.