From: Kees Cook <keescook@chromium.org>
To: Azeem Shaikh <azeemshaikh38@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-serial@vger.kernel.org,
Kefeng Wang <wangkefeng.wang@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] vt: Fix potential read overflow of kernel memory
Date: Wed, 30 Aug 2023 14:28:21 -0700 [thread overview]
Message-ID: <202308301421.997C4034B5@keescook> (raw)
In-Reply-To: <CADmuW3Wbgb7s+jRm8F0hcjzreWysVdzNvv778yUbGCOxAJHwjQ@mail.gmail.com>
On Wed, Aug 30, 2023 at 03:25:54PM -0400, Azeem Shaikh wrote:
> On Wed, Aug 30, 2023 at 1:57 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Wed, Aug 30, 2023 at 04:04:10PM +0000, Azeem Shaikh wrote:
> > > strlcpy() reads the entire source buffer first.
> > > This read may exceed the destination size limit if
> > > a source string is not NUL-terminated [1].
> >
> > But that's not the case here, right? So your "potential read overflow"
> > isn't relevant here.
> >
> > > The copy_to_user() call uses @len returned from strlcpy() directly
> > > without checking its value. This could potentially lead to read
> > > overflow.
> >
> > But can it? How?
> >
>
> The case I was considering is when the null-terminated hardcoded
> string @func_table[kb_func] has length @new_len > @len. In this case,
> strlcpy() will assign @len = @new_len and copy_to_user() would read
> @new_len from the kmalloc-ed memory of @len. This is the potential
> read overflow I was referring to. Let me know if I'm mistaken.
First there is:
ssize_t len = sizeof(user_kdgkb->kb_string);
"struct user_kdgkb" is UAPI (therefore unlikely to change), and kb_string
is 512:
struct kbsentry {
unsigned char kb_func;
unsigned char kb_string[512];
};
Then we do:
len = strlcpy(kbs, func_table[kb_func] ? : "", len);
This is the anti-pattern (take the length of the _source_) we need to
remove. However, func_table[] is made up of either %NUL-terminated
strings:
char func_buf[] = {
'\033', '[', '[', 'A', 0,
'\033', '[', '[', 'B', 0,
...
char *func_table[MAX_NR_FUNC] = {
func_buf + 0,
func_buf + 5,
...
Or a NULL address itself. The ?: operator handles the NULL case, so
"len" can only ever be 0 through the longest string in func_buf. So it's
what I'd call "accidentally correct". i.e. it's using a fragile
anti-pattern, but in this case everything is hard-coded and less than
512.
Regardless, we need to swap for a sane pattern, which you've done. But
the commit log is misleading, so it needs some more detail. :)
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-08-30 21:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 16:04 [PATCH] vt: Fix potential read overflow of kernel memory Azeem Shaikh
2023-08-30 17:57 ` Greg Kroah-Hartman
2023-08-30 19:25 ` Azeem Shaikh
2023-08-30 21:28 ` Kees Cook [this message]
2023-08-30 23:17 ` Dan Raymond
2023-08-30 23:48 ` Kees Cook
2023-08-31 5:45 ` Dan Raymond
2023-08-31 14:23 ` Azeem Shaikh
2023-09-15 2:56 ` Kees Cook
2023-08-31 5:32 ` Jiri Slaby
2023-08-31 14:21 ` Azeem Shaikh
2023-08-31 18:30 ` Kees Cook
2023-08-30 19:27 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308301421.997C4034B5@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=azeemshaikh38@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.