Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree

Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree

[Alexey Dobriyan]

On Tue, Apr 15, 2014 at 12:47 AM,  <akpm@linux-foundation.org> wrote:
> Subject: lib/string.c: strlcpy() might read too far
>
> Imagine you have a user controlled variable at the end of a struct which
> is allocated at the end of a page.  The strlen() could read beyond the
> mapped memory and cause an oops.
>
> Probably there are two reasons why we have never hit this condition in
> real life.  First you would have to be really unlucky for all the
> variables to line up so the oops can happen.  Second we don't do a lot of
> fuzzing with invalid strings.
>
> The strnlen() call is obviously a little bit slower than strlen() but I
> have tested it and I think it's probably ok.

> --- a/lib/string.c~lib-stringc-strlcpy-might-read-too-far
> +++ a/lib/string.c
> @@ -148,10 +148,10 @@ EXPORT_SYMBOL(strncpy);
>   */
>  size_t strlcpy(char *dest, const char *src, size_t size)
>  {
> -       size_t ret = strlen(src);
> +       size_t ret = strnlen(src, size);
>
>         if (size) {
> -               size_t len = (ret >= size) ? size - 1 : ret;
> +               size_t len = (ret < size) ? ret : ret - 1;
>                 memcpy(dest, src, len);
>                 dest[len] = '\0';
>         }

Return value matters. It may not matter for kernel, because kernel is
not heavy string user.
But it is better to not diverge from master code:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/strlcpy.c?rev=1.11

Counter-rationale:
* strlcpy() accepts strings, so if you're giving raw buffer you're
doing it wrong.
* last byte of last page argument is bogus because kernel copies data
from userspace first.

Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree

[Dan Carpenter]

On Tue, Apr 15, 2014 at 01:49:38PM +0300, Alexey Dobriyan wrote:
> Return value matters. It may not matter for kernel, because kernel is
> not heavy string user.
> But it is better to not diverge from master code:
> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/strlcpy.c?rev=1.11
> 

Oh...  Hm.  Maybe we should drop this patch then.

> Counter-rationale:
> * strlcpy() accepts strings, so if you're giving raw buffer you're
> doing it wrong.
> * last byte of last page argument is bogus because kernel copies data
> from userspace first.

The last byte of the page argument seems possible:

	foo = kmalloc();
	copy_from_user(foo, arg, sizeof(foo));
	strlcpy(dest.str, foo->bar, sizeof(dest.str));

It's a very unlikely scenario.  You have to be very unlucky to hit it at
all.

regards,
dan carpenter

Re: + lib-stringc-strlcpy-might-read-too-far.patch added to -mm tree

[Alexey Dobriyan]

On Tue, Apr 15, 2014 at 2:18 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On Tue, Apr 15, 2014 at 01:49:38PM +0300, Alexey Dobriyan wrote:
>> Return value matters. It may not matter for kernel, because kernel is
>> not heavy string user.
>> But it is better to not diverge from master code:
>> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/strlcpy.c?rev=1.11
>>
>
> Oh...  Hm.  Maybe we should drop this patch then.
>
>> Counter-rationale:
>> * strlcpy() accepts strings, so if you're giving raw buffer you're
>> doing it wrong.
>> * last byte of last page argument is bogus because kernel copies data
>> from userspace first.
>
> The last byte of the page argument seems possible:
>
>         foo = kmalloc();
>         copy_from_user(foo, arg, sizeof(foo));

Correct code would do
        foo->bar[sizeof(foo->bar)-1] = '\0';
if this field is a string.

>         strlcpy(dest.str, foo->bar, sizeof(dest.str));