From: Kees Cook <keescook@chromium.org>
To: Dan Raymond <draymond@foxvalley.net>
Cc: Azeem Shaikh <azeemshaikh38@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-serial@vger.kernel.org,
Kefeng Wang <wangkefeng.wang@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] vt: Fix potential read overflow of kernel memory
Date: Wed, 30 Aug 2023 16:48:00 -0700 [thread overview]
Message-ID: <202308301646.8397A6A11@keescook> (raw)
In-Reply-To: <aa488b1d-51b2-7b55-7a8d-552306ca16dd@foxvalley.net>
On Wed, Aug 30, 2023 at 05:17:12PM -0600, Dan Raymond wrote:
> In my opinion strlcpy() is being used correctly here as a defensive
> precaution. If the source string is larger than the destination buffer
> it will truncate rather than corrupt kernel memory. However the
> return value of strlcpy() is being misused. If truncation occurred
> the copy_to_user() call will corrupt user memory instead.
>
> I also agree that this is not currently a bug. It is fragile and it
> could break if someone added a very large string to the table.
>
> Why not fix this by avoiding the redundant string copy? How about
> something like this:
>
> ptr = func_table[kb_func] ? : "";
> len = strlen(ptr);
>
> if (len >= sizeof(user_kdgkb->kb_string))
> return -ENOSPC;
>
> if (copy_to_user(user_kdgkb->kb_string, ptr, len + 1))
> return -EFAULT;
This would work if not for func_buf_lock. The bounce buffer is used to
avoid needing to hold the spin lock across copy_to_user.
--
Kees Cook
next prev parent reply other threads:[~2023-08-30 23:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 16:04 [PATCH] vt: Fix potential read overflow of kernel memory Azeem Shaikh
2023-08-30 17:57 ` Greg Kroah-Hartman
2023-08-30 19:25 ` Azeem Shaikh
2023-08-30 21:28 ` Kees Cook
2023-08-30 23:17 ` Dan Raymond
2023-08-30 23:48 ` Kees Cook [this message]
2023-08-31 5:45 ` Dan Raymond
2023-08-31 14:23 ` Azeem Shaikh
2023-09-15 2:56 ` Kees Cook
2023-08-31 5:32 ` Jiri Slaby
2023-08-31 14:21 ` Azeem Shaikh
2023-08-31 18:30 ` Kees Cook
2023-08-30 19:27 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308301646.8397A6A11@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=azeemshaikh38@gmail.com \
--cc=draymond@foxvalley.net \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.