From: Li Zefan <lizf@cn.fujitsu.com>
To: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Tom Zanussi <tzanussi@gmail.com>, Ingo Molnar <mingo@elte.hu>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] tracing/filters: use strcmp() instead of strncmp()
Date: Tue, 02 Jun 2009 08:55:17 +0800 [thread overview]
Message-ID: <4A247875.9010507@cn.fujitsu.com> (raw)
In-Reply-To: <20090601130928.GA6000@nowhere>
Frederic Weisbecker wrote:
> On Mon, Jun 01, 2009 at 01:45:47PM +0800, Li Zefan wrote:
>>>>>> I don't think there's any security issue. It's irrelevant how big the user-input
>>>>>> strings are. The point is those strings are guaranteed to be NULL-terminated.
>>>>>> Am I missing something?
>>>>>>
>>>>>> And I don't think it's necessary to make 2 patches that each patch converts
>>>>>> one strncmp to strcmp. But maybe it's better to improve this changelog?
>>>>> Hmm, you must be right, indeed they seem to be guaranted beeing NULL-terminated
>>>>> strings.
>>>>>
>>>> Sorry, I was wrong. :(
>>>>
>>>> Though the user-input strings are guaranted to be NULL-terminated, strings
>>>> generated by TRACE_EVENT might not.
>>>>
>>>> We define static strings this way:
>>>> TP_struct(
>>>> __array(char, foo, LEN)
>>>> )
>>>> But foo is not necessarily a string, though I doubt someone will use it
>>>> as non-string char array.
>>>
>>> Yeah, but the user defined comparison operand is NULL terminated.
>>> So the strcmp will stop at this boundary.
>>>
>> The user input string is NULL terminated and is limited to MAX_FILTER_STR_VAL,
>> and it's strcmp() not strcpy(), but it's still unsafe. No?
>>
>> cmp = strcmp(addr, pred->str_val);
>>
>> If addr is not NULL-terminated string but char array, and length of
>> str_val > length of addr, then we'll be exceeding the boundary of the
>> array.
>
>
>
> No, once both strings appear to be different, strcmp returns.
> As an example, the generic strcmp in lib/string.c is as follows:
>
> int strcmp(const char *cs, const char *ct)
> {
> signed char __res;
>
> while (1) {
> if ((__res = *cs - *ct++) != 0 || !*cs++)
> break;
> }
> return __res;
> }
>
> Once cs[n] != ct[n], or !cs[n] || !ct[n], strcmp() stops,
> and the x86 implementation does exactly the same.
>
> So I guess it's safe.
>
See this example:
cmp = strcmp(addr, pred->str_val);
length(addr) == 6, strlen(str_val) == 10
123456
addr: abcdef?
^
|
v
str_val: abcdefzzzz\0
or the 2 happen to match even after addr overflowed:
123456
addr: abcdefzzzz?
^
|
v
str_val: abcdefzzzz\0
next prev parent reply other threads:[~2009-06-02 0:54 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-29 8:41 [PATCH 2/2] tracing/filters: use strcmp() instead of strncmp() Li Zefan
2009-05-29 13:51 ` Frédéric Weisbecker
2009-05-30 9:06 ` Li Zefan
2009-05-30 13:52 ` Frederic Weisbecker
2009-05-31 8:27 ` Li Zefan
2009-05-31 13:28 ` Frederic Weisbecker
2009-06-01 5:45 ` Li Zefan
2009-06-01 13:09 ` Frederic Weisbecker
2009-06-02 0:55 ` Li Zefan [this message]
2009-09-08 3:03 ` Steven Rostedt
2009-09-09 1:21 ` Li Zefan
2009-09-09 2:00 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A247875.9010507@cn.fujitsu.com \
--to=lizf@cn.fujitsu.com \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=rostedt@goodmis.org \
--cc=tzanussi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox