From: Pete Zaitcev <zaitcev@redhat.com>
To: schwidefsky@de.ibm.com
Cc: zaitcev@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: SECURITY - data leakage due to incorrect strncpy implementation
Date: Wed, 28 Jan 2004 19:11:15 -0800 [thread overview]
Message-ID: <20040128191115.0f33a113.zaitcev@redhat.com> (raw)
In-Reply-To: <1057963814.20636.72.camel@dhcp22.swansea.linux.org.uk>
On 11 Jul 2003 23:50:15 +0100
Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
> On Gwe, 2003-07-11 at 23:44, Linus Torvalds wrote:
> > On 11 Jul 2003, Alan Cox wrote:
> > >
> > > Lots of kernel drivers rely on the libc definition of strncpy.
> >
> > But that's ok. We _do_ do the padding. I hated it when I wrote it, but as
> > far as I know, the kernel strncpy() has done padding pretty much since day
> > one.
> * Note that unlike userspace strncpy, this does not %NUL-pad the buffer.
> * However, the result is not %NUL-terminated if the source exceeds
> * @count bytes.
> */
>
> Only x86 does the padding
I do not undestand Alan's position, if he is for it or against it.
Anyway, in case you want it, here's what I wrote for s390.
I wrote some userland tests, it seems to check out. BUT I warn you,
someone better check my assembly.
-- Pete
diff -ur -X dontdiff linux-2.6.1/arch/s390/lib/strncpy64.S linux-2.6.1-s390/arch/s390/lib/strncpy64.S
--- linux-2.6.1/arch/s390/lib/strncpy64.S 2003-07-13 20:31:50.000000000 -0700
+++ linux-2.6.1-s390/arch/s390/lib/strncpy64.S 2004-01-28 18:48:27.000000000 -0800
@@ -23,8 +23,16 @@
LA 3,1(3)
STC 0,0(1)
LA 1,1(1)
- JZ strncpy_exit # ICM inserted a 0x00
+ JZ strncpy_pad # ICM inserted a 0x00
BRCTG 4,strncpy_loop # R4 -= 1, jump to strncpy_loop if > 0
-strncpy_exit:
BR 14
+strncpy_pad:
+ LTR 4,4
+ JZ strncpy_exit # 0 bytes -> nothing to do
+strncpy_padloop:
+ MVI 0(1),0
+ LA 1,1(1)
+ BRCTG 4,strncpy_padloop
+strncpy_exit:
+ BR 14
diff -ur -X dontdiff linux-2.6.1/arch/s390/lib/strncpy.S linux-2.6.1-s390/arch/s390/lib/strncpy.S
--- linux-2.6.1/arch/s390/lib/strncpy.S 2003-07-13 20:35:16.000000000 -0700
+++ linux-2.6.1-s390/arch/s390/lib/strncpy.S 2004-01-28 18:46:20.000000000 -0800
@@ -23,8 +23,16 @@
LA 3,1(3)
STC 0,0(1)
LA 1,1(1)
- JZ strncpy_exit # ICM inserted a 0x00
+ JZ strncpy_pad # ICM inserted a 0x00
BRCT 4,strncpy_loop # R4 -= 1, jump to strncpy_loop if > 0
-strncpy_exit:
BR 14
+strncpy_pad:
+ LTR 4,4
+ JZ strncpy_exit
+strncpy_padloop:
+ MVI 0(1),0
+ LA 1,1(1)
+ BRCT 4,strncpy_padloop
+strncpy_exit:
+ BR 14
next prev parent reply other threads:[~2004-01-29 3:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-11 17:05 Sound updating, security of strlcpy and a question on pci v unload Alan Cox
2003-07-11 19:04 ` Mikulas Patocka
2003-07-11 21:45 ` SECURITY - data leakage due to incorrect strncpy implementation Alan Cox
2003-07-11 22:10 ` Alan Cox
2003-07-11 23:49 ` Paul Mackerras
2003-07-12 21:28 ` Horst von Brand
2003-07-13 8:02 ` Alan Cox
2003-07-11 22:44 ` Linus Torvalds
2003-07-11 22:50 ` Alan Cox
2004-01-29 3:11 ` Pete Zaitcev [this message]
2003-07-11 22:37 ` Sound updating, security of strlcpy and a question on pci v unload Mitchell Blank Jr
2003-07-12 0:08 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2004-01-29 8:57 SECURITY - data leakage due to incorrect strncpy implementation Martin Schwidefsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040128191115.0f33a113.zaitcev@redhat.com \
--to=zaitcev@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox