From: Kees Cook <keescook@chromium.org>
To: Justin Stitt <justinstitt@google.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Charles Bertsch <cbertsch@cox.net>,
linux-scsi@vger.kernel.org, MPT-FusionLinux.pdl@broadcom.com
Subject: Re: startup BUG at lib/string_helpers.c from scsi fusion mptsas
Date: Thu, 4 Apr 2024 16:39:29 -0700 [thread overview]
Message-ID: <202404041629.D23DC8F7@keescook> (raw)
In-Reply-To: <CAFhGd8r1gGCAbsebK-4fD+cPeUCMgUG_XTx5fKa3cqJwNEEM8Q@mail.gmail.com>
On Thu, Apr 04, 2024 at 03:47:05PM -0700, Justin Stitt wrote:
> Cc'ing Kees.
>
> On Thu, Apr 4, 2024 at 3:33 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > But additionally this is a common pattern in SCSI: using strncpy to
> > zero terminate fields that may be unterminated in the exchange protocol
> > so we can send them to sysfs or otherwise treat them as strings. That
> > means we might have this problem in other drivers you've converted ...
That's why we've been doing these one at a time and getting maintainers
to review them. :) Justin (and the reviewers) have been trying to be
careful with these, and documenting the rationales, etc, but this is
kind of why we're doing the conversion: using strncpy is really
ambiguous as far as showing what an author intended to be happening.
> Correct. Although certain conditions must be met:
>
> 1) length argument is larger than source but less than or equal to destination
> 2) source is not NUL-terminated
> 3) sizes known at compile-time
>
> I think fortified strscpy needs to be a bit more lenient towards
> source buffer overreads when we know strscpy should just truncate and
> NUL-terminate.
Okay, so the problem here is that the _source_ fields aren't NUL
terminated?
struct sas_expander_device {
...
#define SAS_EXPANDER_VENDOR_ID_LEN 8
char vendor_id[SAS_EXPANDER_VENDOR_ID_LEN+1];
...
};
struct rep_manu_reply {
...
u8 vendor_id[SAS_EXPANDER_VENDOR_ID_LEN];
...
};
Okay, so struct rep_manu_reply needs __nonstring markings, and the
strscpy()s need to be memcpy()s.
We've done those kinds of conversions in the past; it just looks like we
made an analysis mistake here. Sorry about that!
-Kees
--
Kees Cook
next prev parent reply other threads:[~2024-04-04 23:39 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 22:43 startup BUG at lib/string_helpers.c from scsi fusion mptsas Charles Bertsch
2024-04-03 23:20 ` Bart Van Assche
2024-04-04 19:58 ` Justin Stitt
2024-04-04 21:38 ` Justin Stitt
2024-04-04 21:53 ` James Bottomley
2024-04-04 22:04 ` Justin Stitt
2024-04-04 22:29 ` James Bottomley
2024-04-04 22:33 ` James Bottomley
2024-04-04 22:43 ` Martin K. Petersen
2024-04-04 22:47 ` Justin Stitt
2024-04-04 23:39 ` Kees Cook [this message]
2024-04-05 0:10 ` Justin Stitt
2024-04-05 0:12 ` Justin Stitt
2024-04-04 23:57 ` Kees Cook
2024-04-06 20:42 ` Charles Bertsch
2024-04-08 19:59 ` Justin Stitt
2024-04-08 23:19 ` Kees Cook
2024-04-10 20:51 ` Justin Stitt
2024-04-10 21:14 ` Charles Bertsch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202404041629.D23DC8F7@keescook \
--to=keescook@chromium.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=MPT-FusionLinux.pdl@broadcom.com \
--cc=cbertsch@cox.net \
--cc=justinstitt@google.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox