From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Bernd Edlinger <bernd.edlinger@hotmail.de>
Cc: Tejun Heo <tj@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCHv2] Fix range checks in kernfs_get_target_path
Date: Sat, 7 Jul 2018 16:01:40 +0200 [thread overview]
Message-ID: <20180707140140.GA4941@kroah.com> (raw)
In-Reply-To: <AM5PR0701MB265728DBCC26198F64EEC027E4460@AM5PR0701MB2657.eurprd07.prod.outlook.com>
On Sat, Jul 07, 2018 at 09:41:03AM +0000, Bernd Edlinger wrote:
> The strncpy causes a warning [-Wstringop-truncation] here,
> which indicates that it never appends a NUL byte to the path.
> The NUL byte is only there because the buffer is allocated
> with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the range-check
> is also off-by-one, and PAGE_SIZE==PATH_MAX the returned string
> will not be zero-terminated if it is exactly PATH_MAX characters.
> Furthermore also the initial loop may theoretically exceed PATH_MAX
> and cause a fault.
>
> Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
> ---
> fs/kernfs/symlink.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c
> index 08ccabd..c8b7d44a 100644
> --- a/fs/kernfs/symlink.c
> +++ b/fs/kernfs/symlink.c
> @@ -63,7 +63,10 @@ static int kernfs_get_target_path(struct kernfs_node
> if (base == kn)
> break;
>
> - strcpy(s, "../");
> + if ((s - path) + 3 >= PATH_MAX)
> + return -ENAMETOOLONG;
> +
> + memcpy(s, "../", 3);
> s += 3;
> base = base->parent;
> }
> @@ -79,16 +82,17 @@ static int kernfs_get_target_path(struct kernfs_node
> if (len < 2)
> return -EINVAL;
> len--;
> - if ((s - path) + len > PATH_MAX)
> + if ((s - path) + len >= PATH_MAX)
> return -ENAMETOOLONG;
>
> /* reverse fillup of target string from target to base */
> kn = target;
> + s[len] = '\0';
> while (kn->parent && kn != base) {
> int slen = strlen(kn->name);
>
> len -= slen;
> - strncpy(s + len, kn->name, slen);
> + memcpy(s + len, kn->name, slen);
> if (len)
> s[--len] = '/';
>
This last memcpy replacement has already been applied to my tree, from a
patch from soeone else, so are you sure all of the other changes are
also really needed? Why the extra \0 termination of a string that is
already terminated?
And why is the first memcpy replacement needed? gcc doesn't say
anything about that, does it?
thanks,
greg k-h
next prev parent reply other threads:[~2018-07-07 14:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-07 9:41 [PATCHv2] Fix range checks in kernfs_get_target_path Bernd Edlinger
2018-07-07 14:01 ` Greg Kroah-Hartman [this message]
2018-07-07 14:34 ` Bernd Edlinger
2018-07-07 14:52 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180707140140.GA4941@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=bernd.edlinger@hotmail.de \
--cc=linux-kernel@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.