From: Kees Cook <keescook@chromium.org>
To: Azeem Shaikh <azeemshaikh38@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-serial@vger.kernel.org,
Kefeng Wang <wangkefeng.wang@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] vt: Fix potential read overflow of kernel memory
Date: Wed, 30 Aug 2023 12:27:04 -0700 [thread overview]
Message-ID: <202308301222.3BD87A6@keescook> (raw)
In-Reply-To: <20230830160410.3820390-1-azeemshaikh38@gmail.com>
On Wed, Aug 30, 2023 at 04:04:10PM +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
Perhaps add:
"... and returns the size of the source string, not the destination
string, which can be accidentally misused."
> This read may exceed the destination size limit if
> a source string is not NUL-terminated [1].
>
> The copy_to_user() call uses @len returned from strlcpy() directly
> without checking its value. This could potentially lead to read
> overflow.
Since the code as written today is "accidentally correct", it's worth
clarifying this: there is no existing bug, but as written it is very
fragile and specifically uses a strlcpy() result without sanity checking
and using it to copy to userspace. (This is the exact anti-pattern for
strlcpy(), and only because the source strings are known good is this
safe.)
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
> ---
> drivers/tty/vt/keyboard.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> index 358f216c6cd6..15359c328a23 100644
> --- a/drivers/tty/vt/keyboard.c
> +++ b/drivers/tty/vt/keyboard.c
> @@ -2079,12 +2079,15 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
> return -ENOMEM;
>
> spin_lock_irqsave(&func_buf_lock, flags);
> - len = strlcpy(kbs, func_table[kb_func] ? : "", len);
> + len = strscpy(kbs, func_table[kb_func] ? : "", len);
> spin_unlock_irqrestore(&func_buf_lock, flags);
>
> + if (len < 0) {
> + ret = -EFAULT;
I think this should be -ENOSPC as EFAULT implies an actual memory fault.
> + break;
> + }
> ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
> -EFAULT : 0;
> -
> break;
> }
> case KDSKBSENT:
> --
> 2.42.0.rc2.253.gd59a3bf2b4-goog
>
>
Thanks for sticking with these refactorings; we're almost free from
strlcpy. :)
-Kees
--
Kees Cook
prev parent reply other threads:[~2023-08-30 20:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 16:04 [PATCH] vt: Fix potential read overflow of kernel memory Azeem Shaikh
2023-08-30 17:57 ` Greg Kroah-Hartman
2023-08-30 19:25 ` Azeem Shaikh
2023-08-30 21:28 ` Kees Cook
2023-08-30 23:17 ` Dan Raymond
2023-08-30 23:48 ` Kees Cook
2023-08-31 5:45 ` Dan Raymond
2023-08-31 14:23 ` Azeem Shaikh
2023-09-15 2:56 ` Kees Cook
2023-08-31 5:32 ` Jiri Slaby
2023-08-31 14:21 ` Azeem Shaikh
2023-08-31 18:30 ` Kees Cook
2023-08-30 19:27 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308301222.3BD87A6@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=azeemshaikh38@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.