From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20194C83F37 for ; Thu, 31 Aug 2023 18:30:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244263AbjHaSaT (ORCPT ); Thu, 31 Aug 2023 14:30:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244624AbjHaSaR (ORCPT ); Thu, 31 Aug 2023 14:30:17 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 93B2CE79 for ; Thu, 31 Aug 2023 11:30:14 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1bdbf10333bso9311185ad.1 for ; Thu, 31 Aug 2023 11:30:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1693506614; x=1694111414; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=FB1kVMWEU7nPrAJJXjUVrfR6NLc1vMmftYUNizeZ0Cc=; b=fMOJ32E4VIbYy5JzVF6rihdyKHh/QFE0hu6aKeDbCUHEXv5hnUP70iF+9/AFoDlSWt g2fRzeHTX3Eko5JeQxqDEOqXH9WFQiEIgM7gpgUizKBQYSt8mi+12PSRInVokrAzli9k r3lGu3VNCWchmm78WWRBQ9Z1sIaRH4A5T6f9Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693506614; x=1694111414; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FB1kVMWEU7nPrAJJXjUVrfR6NLc1vMmftYUNizeZ0Cc=; b=GkoqKv4vvs3Qml0Iu7NyuG4i+0Xe8fQu4QqIlLYaOxU6uOWc9DgVosqlwHjYhl2BVm YUGcBgSFEddnTaL6fcBS0JOVCXy3Dcm9RRAvanhNB+YNOuCvOusTMfxKcE/5Hd17870B F56Z7uKnfPJV7gPUXkbjeqxV8onrE1nEIYmJy+T0jUmBFj1igOfBDoH/TzHoec6IgBq3 Qpn3HHRtPWEFl+3nnUF4PY0VmGA2AtHxGoq3BU3DjEBXqiVYNMsZdIjv0+qUF0ggSdfI CMYUgKEBCP9EnaU6isCTfHpXVORxJJqmuPgvIkgp7fiTzNIRLcgJWYT03Na9kfacxaM6 7Uew== X-Gm-Message-State: AOJu0YxHo46dVGDOcyAnDTr93OBMGEX3+97rnI7+VIKffyRLH0d62BF6 rI8a6dXrK6H0wZBpZayTTGFa8/s63X11rfW/uXw= X-Google-Smtp-Source: AGHT+IEjQ6KvhqRgqekfwUfVHPDa4H9zY0UwUrk4seishin21Jizv61gXheblqWlJAuPqaS3NuEs8A== X-Received: by 2002:a17:902:a5c9:b0:1bc:667b:63c6 with SMTP id t9-20020a170902a5c900b001bc667b63c6mr426242plq.41.1693506613996; Thu, 31 Aug 2023 11:30:13 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id w1-20020a170902e88100b001bafd5cf769sm1548229plg.2.2023.08.31.11.30.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 31 Aug 2023 11:30:13 -0700 (PDT) Date: Thu, 31 Aug 2023 11:30:12 -0700 From: Kees Cook To: Jiri Slaby Cc: Azeem Shaikh , Greg Kroah-Hartman , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org, Kefeng Wang , Andrew Morton Subject: Re: [PATCH] vt: Fix potential read overflow of kernel memory Message-ID: <202308311123.EF07499@keescook> References: <20230830160410.3820390-1-azeemshaikh38@gmail.com> <2023083035-unpadded-amulet-8c7e@gregkh> <202308301421.997C4034B5@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-serial@vger.kernel.org On Thu, Aug 31, 2023 at 07:32:18AM +0200, Jiri Slaby wrote: > On 30. 08. 23, 23:28, Kees Cook wrote: > > len = strlcpy(kbs, func_table[kb_func] ? : "", len); > > > > This is the anti-pattern (take the length of the _source_) we need to > > remove. > > But len is the length of kbs, i.e. the destination. Or what am I missing? strlcpy() returns the length of the _source_ string (i.e. it could be greater than the input argument len). But there is no current flaw here (since all sources are very short). We're just trying to remove strlcpy() since it leads to unexpected results. -Kees -- Kees Cook