From: Ingo Molnar <mingo@kernel.org>
To: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>
Subject: Re: [PATCH] string: Fix strscpy() uninitialized data copy bug
Date: Tue, 6 Oct 2015 09:21:51 +0200 [thread overview]
Message-ID: <20151006072151.GA10672@gmail.com> (raw)
In-Reply-To: <5612C749.8090308@ezchip.com>
* Chris Metcalf <cmetcalf@ezchip.com> wrote:
> Unfortunately using memset() like that will break on big-endian machines.
doh ... and I somehow convinced myself that it was endian safe ;-)
> [...] I always have to go back and play around with the word-at-a-time.h
> definitions to get this right, but I think it's possible that the "data" itself
> has the mask to clear the unwanted bytes, i.e. you could do something like the
> following (untested).
>
> I'm still not totally convinced it's necessary, as programmers should generally
> assume anything beyond the end of a copied string is garbage anyway, and since
> we're not copying it to userspace we're not exposing any possibly secure data.
>
> Races shouldn't be a concern either since, after all, there is already a window
> where we may have overwritten the NUL end of an earlier shorter string, and now
> a racy copy from the partially-written dest buf could walk right off the end of
> the buffer itself, so you'd already better not be doing that.
>
> But, all that said, I'm not opposed to a simple fix to avoid carrying along the
> uninitialized bytes from beyond the end of the source string, since it does seem
> a bit cleaner, even if I can't put my finger in a reason why it would actually
> matter.
So it would matter for more advanced sharing ABIs: for example if there's an
mlock()-ed area registered on the kernel side as well as kernel accessible memory,
and if we do an strscpy() to such a target area, we don't want to leak
uninitialized data to user-space.
(This is not theoretical, the perf ring-buffer is such a construct for example.)
So IMHO this is a quality of implementation issue that we should fix.
> diff --git a/lib/string.c b/lib/string.c
> index 8dbb7b1eab50..ba64f4e0382d 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -203,12 +203,13 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
> unsigned long c, data;
> c = *(unsigned long *)(src+res);
> - *(unsigned long *)(dest+res) = c;
> if (has_zero(c, &data, &constants)) {
> data = prep_zero_mask(c, data, &constants);
> data = create_zero_mask(data);
> + *(unsigned long *)(dest+res) = c & data;
> return res + find_zero(data);
> }
> + *(unsigned long *)(dest+res) = c;
> res += sizeof(unsigned long);
> count -= sizeof(unsigned long);
> max -= sizeof(unsigned long);
Looks good to me!
Thanks,
Ingo
next prev parent reply other threads:[~2015-10-06 7:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-05 15:38 [PATCH] string: Improve the generic strlcpy() implementation Alexey Dobriyan
2015-10-05 16:11 ` Ingo Molnar
2015-10-05 16:13 ` Ingo Molnar
[not found] ` <CA+55aFyTVJfCt00gYJpiQW5kqPaRGJ93JmfRRni-73zCf5ivqg@mail.gmail.com>
2015-10-05 16:22 ` Ingo Molnar
2015-10-05 16:28 ` Ingo Molnar
2015-10-05 16:36 ` [PATCH] string: Fix strscpy() uninitialized data copy bug Ingo Molnar
2015-10-05 18:54 ` Chris Metcalf
2015-10-06 7:21 ` Ingo Molnar [this message]
2015-10-05 20:40 ` [PATCH] string: Improve the generic strlcpy() implementation Linus Torvalds
2015-10-06 16:47 ` [PATCH] strscpy: zero any trailing garbage bytes in the destination Chris Metcalf
2015-10-06 16:59 ` kbuild test robot
2015-10-06 17:34 ` Chris Metcalf
2015-10-07 7:28 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151006072151.GA10672@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=adobriyan@gmail.com \
--cc=bp@alien8.de \
--cc=cmetcalf@ezchip.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).