[PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Joe Thornber]

Use the correct size for "name" in register_with_devfs().

During Al Viro's devfs cleanup a few versions ago, this function was
rewritten, and the "name" string added. The 32-byte size is not large
enough to prevent a possible buffer overflow in the sprintf() call,
since the hash cell can have a name up to 128 characters.

[Kevin Corry]

--- diff/drivers/md/dm-ioctl.c	2003-02-26 16:09:42.000000000 +0000
+++ source/drivers/md/dm-ioctl.c	2003-02-26 16:09:52.000000000 +0000
@@ -173,7 +173,7 @@
  */
 static int register_with_devfs(struct hash_cell *hc)
 {
-	char name[32];
+	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
 	struct gendisk *disk = dm_disk(hc->md);
 
 	sprintf(name, DM_DIR "/%s", hc->name);

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Horst von Brand]

Joe Thornber <joe@fib011235813.fsnet.co.uk> said:
> Use the correct size for "name" in register_with_devfs().
> 
> During Al Viro's devfs cleanup a few versions ago, this function was
> rewritten, and the "name" string added. The 32-byte size is not large
> enough to prevent a possible buffer overflow in the sprintf() call,
> since the hash cell can have a name up to 128 characters.
> 
> [Kevin Corry]
> 
> --- diff/drivers/md/dm-ioctl.c	2003-02-26 16:09:42.000000000 +0000
> +++ source/drivers/md/dm-ioctl.c	2003-02-26 16:09:52.000000000 +0000
> @@ -173,7 +173,7 @@
>   */
>  static int register_with_devfs(struct hash_cell *hc)
>  {
> -	char name[32];
> +	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];

This either makes a large name array or generates a possibly huge array at
runtime (bad if your stack is < 8KiB).
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Kevin Corry]

On Wednesday 26 February 2003 15:04, Horst von Brand wrote:
> Joe Thornber <joe@fib011235813.fsnet.co.uk> said:
> > Use the correct size for "name" in register_with_devfs().
> >
> > During Al Viro's devfs cleanup a few versions ago, this function was
> > rewritten, and the "name" string added. The 32-byte size is not large
> > enough to prevent a possible buffer overflow in the sprintf() call,
> > since the hash cell can have a name up to 128 characters.
> >
> > [Kevin Corry]
> >
> > --- diff/drivers/md/dm-ioctl.c	2003-02-26 16:09:42.000000000 +0000
> > +++ source/drivers/md/dm-ioctl.c	2003-02-26 16:09:52.000000000 +0000
> > @@ -173,7 +173,7 @@
> >   */
> >  static int register_with_devfs(struct hash_cell *hc)
> >  {
> > -	char name[32];
> > +	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
>
> This either makes a large name array or generates a possibly huge array at
> runtime (bad if your stack is < 8KiB).

Would this be better?

-- 
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/


--- linux-2.5.60a/drivers/md/dm-ioctl.c	2003/02/13 16:43:26
+++ linux-2.5.60b/drivers/md/dm-ioctl.c	2003/02/27 14:17:00
@@ -173,8 +173,11 @@
  */
 static int register_with_devfs(struct hash_cell *hc)
 {
-	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
 	struct gendisk *disk = dm_disk(hc->md);
+	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
+	if (!name) {
+		return -ENOMEM;
+	}
 
 	sprintf(name, DM_DIR "/%s", hc->name);
 	devfs_register(NULL, name, DEVFS_FL_CURRENT_OWNER,
\x10

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Kevin Corry]

On Thursday 27 February 2003 08:20, Kevin Corry wrote:
> On Wednesday 26 February 2003 15:04, Horst von Brand wrote:
> > Joe Thornber <joe@fib011235813.fsnet.co.uk> said:
> > > Use the correct size for "name" in register_with_devfs().
> > >
> > > During Al Viro's devfs cleanup a few versions ago, this function was
> > > rewritten, and the "name" string added. The 32-byte size is not large
> > > enough to prevent a possible buffer overflow in the sprintf() call,
> > > since the hash cell can have a name up to 128 characters.
> > >
> > > [Kevin Corry]
> > >
> > > --- diff/drivers/md/dm-ioctl.c	2003-02-26 16:09:42.000000000 +0000
> > > +++ source/drivers/md/dm-ioctl.c	2003-02-26 16:09:52.000000000 +0000
> > > @@ -173,7 +173,7 @@
> > >   */
> > >  static int register_with_devfs(struct hash_cell *hc)
> > >  {
> > > -	char name[32];
> > > +	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
> >
> > This either makes a large name array or generates a possibly huge array
> > at runtime (bad if your stack is < 8KiB).
>
> Would this be better?

As Joe pointed out to me, that should have been:

--- linux-2.5.60a/drivers/md/dm-ioctl.c	2003/02/13 16:43:26
+++ linux-2.5.60b/drivers/md/dm-ioctl.c	2003/02/27 14:35:20
@@ -173,14 +173,18 @@
  */
 static int register_with_devfs(struct hash_cell *hc)
 {
-	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
 	struct gendisk *disk = dm_disk(hc->md);
+	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
+	if (!name) {
+		return -ENOMEM;
+	}
 
 	sprintf(name, DM_DIR "/%s", hc->name);
 	devfs_register(NULL, name, DEVFS_FL_CURRENT_OWNER,
 		       disk->major, disk->first_minor,
 		       S_IFBLK | S_IRUSR | S_IWUSR | S_IRGRP,
 		       &dm_blk_dops, NULL);
+	kfree(name);
 	return 0;
 }
 

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Roland Dreier]

   > +	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
   > +	if (!name) {
   > +		return -ENOMEM;
   > +	}

Also, kmalloc() needs a second "GFP_xxx" parameter (I guess GFP_KERNEL
in this case, although I don't know the context this function is
called from).

 - Roland

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Kevin Corry]

On Thursday 27 February 2003 10:25, Roland Dreier wrote:
>    > +	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
>    > +	if (!name) {
>    > +		return -ENOMEM;
>    > +	}
>
> Also, kmalloc() needs a second "GFP_xxx" parameter (I guess GFP_KERNEL
> in this case, although I don't know the context this function is
> called from).
>
>  - Roland

Dammit! I'm not having a good morning. :(

Unfortunately, Linus seems to have committed that patch already. So here is a 
patch to fix just that line.

Thanks for catching that.

-- 
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/

--- a/drivers/md/dm-ioctl.c	2003/02/27 16:29:58
+++ b/drivers/md/dm-ioctl.c	2003/02/27 16:30:03
@@ -174,7 +174,7 @@
 static int register_with_devfs(struct hash_cell *hc)
 {
 	struct gendisk *disk = dm_disk(hc->md);
-	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
+	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL);
 	if (!name) {
 		return -ENOMEM;
 	}

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Kevin Corry]

[Sent this earlier, but it doesn't seem to have shown up yet. My outgoing 
email server seems to flake out at times. Sorry if this is a duplicate, but 
it seemed important enough to resend, since we'd like to avoid the extra 
compile failure.]


On Thursday 27 February 2003 10:25, Roland Dreier wrote:
>    > +         char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
>    > +         if (!name) {
>    > +                 return -ENOMEM;
>    > +         }
>
> Also, kmalloc() needs a second "GFP_xxx" parameter (I guess GFP_KERNEL
> in this case, although I don't know the context this function is
> called from).
>
>  - Roland


Dammit! I'm not having a good morning. :(

Unfortunately, Linus seems to have committed that patch already. So here is a 
patch to fix just that line.

Thanks for catching that.

-- 
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/


--- a/drivers/md/dm-ioctl.c	2003/02/27 16:29:58
+++ b/drivers/md/dm-ioctl.c	2003/02/27 17:21:54
@@ -174,7 +174,7 @@
 static int register_with_devfs(struct hash_cell *hc)
 {
 	struct gendisk *disk = dm_disk(hc->md);
-	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
+	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL);
 	if (!name) {
 		return -ENOMEM;
 	}

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Kevin Corry]

On Friday 28 February 2003 08:32, you wrote:
> On Thu, 2003-02-27 at 14:05, Kevin Corry wrote:
> > Unfortunately, Linus seems to have committed that patch already. So here
> > is a patch to fix just that line.
> >
> > Thanks for catching that.
>
> Third time, strlen isn't necessary, it can be done at compile time.
>
> --- a/drivers/md/dm-ioctl.c     2003/02/27 16:29:58
> +++ b/drivers/md/dm-ioctl.c     2003/02/27 17:21:54
> @@ -174,7 +174,7 @@
>  static int register_with_devfs(struct hash_cell *hc)
>  {
>         struct gendisk *disk = dm_disk(hc->md);
> -       char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
> +       char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR));
>         if (!name) {
>                 return -ENOMEM;
>         }

Sorry, I sent the last patch before I got your email.

Also, the "+1" is still necessary, even if we switch to sizeof. The sprintf 
call that follows copies DM_DIR, followed by a slash, followed by the name 
from the hash table into the allocated string. The "+1" is for the slash in 
the middle. The terminating NULL character is accounted for in DM_NAME_LEN.

Linus, here is (yet another!) patch against current BK.

-- 
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/


--- linux-2.5.63-bk4a/drivers/md/dm-ioctl.c	Fri Feb 28 08:43:19 2003
+++ linux-2.5.63-bk4b/drivers/md/dm-ioctl.c	Fri Feb 28 08:44:08 2003
@@ -174,7 +174,7 @@
 static int register_with_devfs(struct hash_cell *hc)
 {
 	struct gendisk *disk = dm_disk(hc->md);
-	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL);
+	char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR) + 1, GFP_KERNEL);
 	if (!name) {
 		return -ENOMEM;
 	}

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Horst von Brand]

Kevin Corry <corryk@us.ibm.com> said:
> On Friday 28 February 2003 08:32, you wrote:
> > On Thu, 2003-02-27 at 14:05, Kevin Corry wrote:
> > > Unfortunately, Linus seems to have committed that patch already. So here
> > > is a patch to fix just that line.
> > >
> > > Thanks for catching that.
> >
> > Third time, strlen isn't necessary, it can be done at compile time.
> >
> > --- a/drivers/md/dm-ioctl.c     2003/02/27 16:29:58
> > +++ b/drivers/md/dm-ioctl.c     2003/02/27 17:21:54
> > @@ -174,7 +174,7 @@
> >  static int register_with_devfs(struct hash_cell *hc)
> >  {
> >         struct gendisk *disk = dm_disk(hc->md);
> > -       char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
> > +       char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR));
> >         if (!name) {
> >                 return -ENOMEM;
> >         }
> 
> Sorry, I sent the last patch before I got your email.
> 
> Also, the "+1" is still necessary, even if we switch to sizeof. The sprintf 
> call that follows copies DM_DIR, followed by a slash, followed by the name 
> from the hash table into the allocated string. The "+1" is for the slash in 
> the middle. The terminating NULL character is accounted for in
> DM_NAME_LEN.

Then it was broken before.

sizeof("1234") == strlen("1234") + 1 == 5

Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

[Kevin Corry]

On Friday 28 February 2003 12:14, Horst von Brand wrote:
> Kevin Corry <corryk@us.ibm.com> said:
> > Also, the "+1" is still necessary, even if we switch to sizeof. The
> > sprintf call that follows copies DM_DIR, followed by a slash, followed by
> > the name from the hash table into the allocated string. The "+1" is for
> > the slash in the middle. The terminating NULL character is accounted for
> > in
> > DM_NAME_LEN.
>
> Then it was broken before.
>
> sizeof("1234") == strlen("1234") + 1 == 5

Hmmm...wasn't aware of that. I guess I never expected there to be a 
difference. If that's the case, then Joe Perches' earlier patch should do the 
trick, albiet for obscure reasons.

And I wouldn't say it was broken the other way; it was simply allocating one 
byte more than necessary.

-- 
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/