[PATCH] string: Adjust strtomem_pad() logic to allow for smaller sources

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] string: Adjust strtomem_pad() logic to allow for smaller sources
@ 2023-10-18 18:07 Kees Cook
  2023-10-18 19:16 ` Arnd Bergmann
  0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2023-10-18 18:07 UTC (permalink / raw)
  To: Andy Shevchenko; +Cc: Kees Cook, Arnd Bergmann, linux-hardening, linux-kernel

Arnd noticed we have a case where a shorter source string is being copied
into a destination byte array, but this results in a strnlen() call that
exceeds the size of the source. This is seen with -Wstringop-overread:

In file included from ../include/linux/uuid.h:11,
                 from ../include/linux/mod_devicetable.h:14,
                 from ../include/linux/cpufeature.h:12,
                 from ../arch/x86/coco/tdx/tdx.c:7:
../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop':
../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 exceeds source size 60 [-Werror=stringop-overread]
  284 |         memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 'strtomem_pad'
  124 |         strtomem_pad(message.str, msg, '\0');
      |         ^~~~~~~~~~~~

Use the smaller of the two buffer sizes when calling strnlen(). When
src length is unknown (SIZE_MAX), it will use dest length, which is what
the original code did.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()")
Cc: Andy Shevchenko <andy@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/string.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/linux/string.h b/include/linux/string.h
index dbfc66400050..9e3cb6923b0e 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -277,10 +277,12 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
  */
 #define strtomem_pad(dest, src, pad)	do {				\
 	const size_t _dest_len = __builtin_object_size(dest, 1);	\
+	const size_t _src_len = __builtin_object_size(src, 1);		\
 									\
 	BUILD_BUG_ON(!__builtin_constant_p(_dest_len) ||		\
 		     _dest_len == (size_t)-1);				\
-	memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \
+	memcpy_and_pad(dest, _dest_len, src,				\
+		       strnlen(src, min(_src_len, _dest_len)), pad);	\
 } while (0)
 
 /**
@@ -298,10 +300,11 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
  */
 #define strtomem(dest, src)	do {					\
 	const size_t _dest_len = __builtin_object_size(dest, 1);	\
+	const size_t _src_len = __builtin_object_size(src, 1);		\
 									\
 	BUILD_BUG_ON(!__builtin_constant_p(_dest_len) ||		\
 		     _dest_len == (size_t)-1);				\
-	memcpy(dest, src, min(_dest_len, strnlen(src, _dest_len)));	\
+	memcpy(dest, src, strnlen(src, min(_src_len, _dest_len)));	\
 } while (0)
 
 /**
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] string: Adjust strtomem_pad() logic to allow for smaller sources
  2023-10-18 18:07 [PATCH] string: Adjust strtomem_pad() logic to allow for smaller sources Kees Cook
@ 2023-10-18 19:16 ` Arnd Bergmann
  0 siblings, 0 replies; 2+ messages in thread
From: Arnd Bergmann @ 2023-10-18 19:16 UTC (permalink / raw)
  To: Kees Cook, Andy Shevchenko; +Cc: linux-hardening, linux-kernel

On Wed, Oct 18, 2023, at 20:07, Kees Cook wrote:
> Arnd noticed we have a case where a shorter source string is being copied
> into a destination byte array, but this results in a strnlen() call that
> exceeds the size of the source. This is seen with -Wstringop-overread:
>
> In file included from ../include/linux/uuid.h:11,
>                  from ../include/linux/mod_devicetable.h:14,
>                  from ../include/linux/cpufeature.h:12,
>                  from ../arch/x86/coco/tdx/tdx.c:7:
> ../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop':
> ../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 
> exceeds source size 60 [-Werror=stringop-overread]
>   284 |         memcpy_and_pad(dest, _dest_len, src, strnlen(src, 
> _dest_len), pad); \
>       |         
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 
> 'strtomem_pad'
>   124 |         strtomem_pad(message.str, msg, '\0');
>       |         ^~~~~~~~~~~~
>
> Use the smaller of the two buffer sizes when calling strnlen(). When
> src length is unknown (SIZE_MAX), it will use dest length, which is what
> the original code did.
>
> Reported-by: Arnd Bergmann <arnd@arndb.de>
> Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()")
> Cc: Andy Shevchenko <andy@kernel.org>
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Thanks for addressing this, looks good

Tested-by: Arnd Bergmann <arnd@arndb.de>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-10-18 19:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-18 18:07 [PATCH] string: Adjust strtomem_pad() logic to allow for smaller sources Kees Cook
2023-10-18 19:16 ` Arnd Bergmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.