From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 193CCC00A89 for ; Mon, 2 Nov 2020 12:11:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A80EB223AC for ; Mon, 2 Nov 2020 12:10:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604319059; bh=NC/77HgijA8lK3BIaPDo7FO84Vs7DTsypR0F4w2tDXs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=IDRlhEFm5gp5TrsGGYa/yAF6dO1U8mcF8hJ4EoAtW/mL33eHUxQw1dcmpi4DAU5Vs M/zgdVPaKxJ1PnqHx1GEHYGT3wrWjqlaBIWK6FxoJi+aAwqyC5b02UEIjGtgsRszbt vt2gcb+ync9wQOG5wKTcmbZvI8F5opL73YZeZkm0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728609AbgKBMK6 (ORCPT ); Mon, 2 Nov 2020 07:10:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:51532 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728421AbgKBMK6 (ORCPT ); Mon, 2 Nov 2020 07:10:58 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 575BC2223C; Mon, 2 Nov 2020 12:10:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604319056; bh=NC/77HgijA8lK3BIaPDo7FO84Vs7DTsypR0F4w2tDXs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IG6rrDqplYvXS5JH5QcEonlRD5fG+Y3Hd1VRveMF+O4kC4UBwQEm144DupvHQmknQ rVBXiWtqQ3zI5CEnoJdbAAKvPFpZRoDRjitbuft3mSZ8LVcxRVksmJJnlL5hnwPGKV NV5Ujhqxs+1+axpw5VYTQPzLhHNAxb/GOFjiauO8= Date: Mon, 2 Nov 2020 13:11:50 +0100 From: "gregkh@linuxfoundation.org" To: Lee Jones Cc: David Laight , "arnd@arndb.de" , "linux-kernel@vger.kernel.org" , Rodolfo Giometti , "Eurotech S.p.A" , Geert Uytterhoeven Subject: Re: [PATCH 1/2] misc: c2port: core: Make copying name from userspace more secure Message-ID: <20201102121150.GA663356@kroah.com> References: <20201102111211.1047972-1-lee.jones@linaro.org> <20201102114903.GN4127@dell> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201102114903.GN4127@dell> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 02, 2020 at 11:49:03AM +0000, Lee Jones wrote: > On Mon, 02 Nov 2020, David Laight wrote: > > > From: Lee Jones > > > Sent: 02 November 2020 11:12 > > > > > > strncpy() may not provide a NUL terminator, which means that a 1-byte > > > leak would be possible *if* this was ever copied to userspace. Ensure > > > the buffer will always be NUL terminated by using the kernel's > > > strscpy() which a) uses the destination (instead of the source) size > > > as the bytes to copy and b) is *always* NUL terminated. > > > > > > Cc: Rodolfo Giometti > > > Cc: "Eurotech S.p.A" > > > Reported-by: Geert Uytterhoeven > > > Acked-by: Arnd Bergmann > > > Signed-off-by: Lee Jones > > > --- > > > drivers/misc/c2port/core.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > > index 80d87e8a0bea9..b96444ec94c7e 100644 > > > --- a/drivers/misc/c2port/core.c > > > +++ b/drivers/misc/c2port/core.c > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > > } > > > dev_set_drvdata(c2dev->dev, c2dev); > > > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > > + strscpy(c2dev->name, name, sizeof(c2dev->name)); > > > > strscpy() doesn't zero fill so if the memory isn't zeroed > > and a 'blind' copy to user of the structure is done > > then more data is leaked. > > > > strscpy() may be better, but rational isn't right. > > The original patch zeroed the data too, but I was asked to remove that > part [0]. In your opinion, should it be reinstated? > > [0] https://lore.kernel.org/patchwork/patch/1272290/ Just keep the kzalloc() part of the patch, this portion makes no sense to me. But if you REALLY want to get it correct, call dev_set_name() instead please, as that is what it is there for. thanks, greg k-h