[PATCH] kernel: tsacct: strncpy, always be sure of NUL terminated.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] kernel: tsacct: strncpy, always be sure of NUL terminated.
@ 2013-04-08  3:27 Chen Gang
  2013-04-08  3:52 ` KOSAKI Motohiro
  0 siblings, 1 reply; 3+ messages in thread
From: Chen Gang @ 2013-04-08  3:27 UTC (permalink / raw)
  To: Eric W. Biederman, Frederic Weisbecker; +Cc: linux-kernel@vger.kernel.org


  for NUL terminated string, always set '\0' at the end.

Signed-off-by: Chen Gang <gang.chen@asianux.com>
---
 kernel/tsacct.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/kernel/tsacct.c b/kernel/tsacct.c
index a1dd9a1..01bcc4e 100644
--- a/kernel/tsacct.c
+++ b/kernel/tsacct.c
@@ -78,7 +78,8 @@ void bacct_add_tsk(struct user_namespace *user_ns,
 	stats->ac_minflt = tsk->min_flt;
 	stats->ac_majflt = tsk->maj_flt;
 
-	strncpy(stats->ac_comm, tsk->comm, sizeof(stats->ac_comm));
+	strncpy(stats->ac_comm, tsk->comm, sizeof(stats->ac_comm) - 1);
+	stats->ac_comm[sizeof(stats->ac_comm) - 1] = '\0';
 }
 
 
-- 
1.7.7.6

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] kernel: tsacct: strncpy, always be sure of NUL terminated.
  2013-04-08  3:27 [PATCH] kernel: tsacct: strncpy, always be sure of NUL terminated Chen Gang
@ 2013-04-08  3:52 ` KOSAKI Motohiro
  2013-04-08  4:03   ` Chen Gang
  0 siblings, 1 reply; 3+ messages in thread
From: KOSAKI Motohiro @ 2013-04-08  3:52 UTC (permalink / raw)
  To: Chen Gang
  Cc: Eric W. Biederman, Frederic Weisbecker,
	linux-kernel@vger.kernel.org

On Sun, Apr 7, 2013 at 11:27 PM, Chen Gang <gang.chen@asianux.com> wrote:
>
>   for NUL terminated string, always set '\0' at the end.
>
> Signed-off-by: Chen Gang <gang.chen@asianux.com>
> ---
>  kernel/tsacct.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/tsacct.c b/kernel/tsacct.c
> index a1dd9a1..01bcc4e 100644
> --- a/kernel/tsacct.c
> +++ b/kernel/tsacct.c
> @@ -78,7 +78,8 @@ void bacct_add_tsk(struct user_namespace *user_ns,
>         stats->ac_minflt = tsk->min_flt;
>         stats->ac_majflt = tsk->maj_flt;
>
> -       strncpy(stats->ac_comm, tsk->comm, sizeof(stats->ac_comm));
> +       strncpy(stats->ac_comm, tsk->comm, sizeof(stats->ac_comm) - 1);
> +       stats->ac_comm[sizeof(stats->ac_comm) - 1] = '\0';

sizeof(tsk->comm) is 16 and sizeof(stats->ac_comm) is 32. then this statement
is strange. and set_task_comm ensure tsk->comm is nul-terminated.

so your code never change the behavior, right?

And, If buggy driver change tsk->comm not to use set_task_comm and tsk->comm
is not nul-terminated, strncpy() still touch unrelated memory and ac_comm may
expose kernel internal info. that's bad.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] kernel: tsacct: strncpy, always be sure of NUL terminated.
  2013-04-08  3:52 ` KOSAKI Motohiro
@ 2013-04-08  4:03   ` Chen Gang
  0 siblings, 0 replies; 3+ messages in thread
From: Chen Gang @ 2013-04-08  4:03 UTC (permalink / raw)
  To: KOSAKI Motohiro
  Cc: Eric W. Biederman, Frederic Weisbecker,
	linux-kernel@vger.kernel.org

On 2013年04月08日 11:52, KOSAKI Motohiro wrote:
> On Sun, Apr 7, 2013 at 11:27 PM, Chen Gang <gang.chen@asianux.com> wrote:
>> >
>> >   for NUL terminated string, always set '\0' at the end.
>> >
>> > Signed-off-by: Chen Gang <gang.chen@asianux.com>
>> > ---
>> >  kernel/tsacct.c |    3 ++-
>> >  1 files changed, 2 insertions(+), 1 deletions(-)
>> >
>> > diff --git a/kernel/tsacct.c b/kernel/tsacct.c
>> > index a1dd9a1..01bcc4e 100644
>> > --- a/kernel/tsacct.c
>> > +++ b/kernel/tsacct.c
>> > @@ -78,7 +78,8 @@ void bacct_add_tsk(struct user_namespace *user_ns,
>> >         stats->ac_minflt = tsk->min_flt;
>> >         stats->ac_majflt = tsk->maj_flt;
>> >
>> > -       strncpy(stats->ac_comm, tsk->comm, sizeof(stats->ac_comm));
>> > +       strncpy(stats->ac_comm, tsk->comm, sizeof(stats->ac_comm) - 1);
>> > +       stats->ac_comm[sizeof(stats->ac_comm) - 1] = '\0';
> sizeof(tsk->comm) is 16 and sizeof(stats->ac_comm) is 32. then this statement
> is strange. and set_task_comm ensure tsk->comm is nul-terminated.
> 
> so your code never change the behavior, right?
> 

  right.

  thank you for your information:
    originally, I really did not check the sizeof details.


> And, If buggy driver change tsk->comm not to use set_task_comm and tsk->comm
> is not nul-terminated, strncpy() still touch unrelated memory and ac_comm may
> expose kernel internal info. that's bad.
> 
> 

  really, that's bad !

  thank you for your information:
    originally, I did not think of a buggy driver can change tsk->comm.


  :-)

-- 
Chen Gang

Asianux Corporation

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-04-08  4:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-08  3:27 [PATCH] kernel: tsacct: strncpy, always be sure of NUL terminated Chen Gang
2013-04-08  3:52 ` KOSAKI Motohiro
2013-04-08  4:03   ` Chen Gang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.