| Message ID | 0b1790ca91b71e3362a6a4c2863bc5787b4d60c9.1698501284.git.christophe.jaillet@wanadoo.fr |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp1229863vqb;
Sat, 28 Oct 2023 06:55:24 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IFQA6qoegGqJohFie4v7bphw0uP5wk2tumgRKvnXA02aDTLSi3EV57jWxTD89L0H4zHRHW4
X-Received: by 2002:a05:6a00:23c6:b0:68f:c7c5:a73a with SMTP id
g6-20020a056a0023c600b0068fc7c5a73amr6844108pfc.16.1698501323672;
Sat, 28 Oct 2023 06:55:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698501323; cv=none;
d=google.com; s=arc-20160816;
b=PTvCE/i5wnb9fXoY3WIMJdgwKJYl/+y59poE9LpQIrwu54EYEMAldyLMBCJNPDyryx
pBA8+uFqXX9yLPOu0S6Pp1xFeEQDG5HQIb9QvsvhRwa2bWaSNFbxTj0RbAnHm2+ofsM+
vnfJoKFfENTbrlNrnebPtuOluyrk6T5GymyNk/kap3RhdX88t+bbQD26CCvoXO0hb3mT
XlUtKu9SsojrdDw/VXP6T3JapuH17ooDgmPTw3QlurTbTgPU+lRR2Zso9k7ISD/1qrEq
WPZ5NWWuth6JGnBDbZFrvOZZYpVScqnF1f0A14QetGmmmuKvgnwe3Mk3n0ECBRdUiu+a
S/mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=QDDAkjDTfNEpw/wshaLCFDIwV6LReU6Ggu0GJWjqj6Q=;
fh=yWeCKlOWm/no0ngJchUbso50I0jY9XyC+20z6qdiwMs=;
b=Fq/6bzOxVKdTfaEJWhzNPtTh75PbwNalAbD04BdGCBw5PGesCtHJWmYM6Ja9fe249/
ytvsAzQlDyaS1Wljq/CCIytTtFDkLkLz/dtpG2KzO1BQB8VVXmW6hgIVSBeBxRQrY07x
yDQGqoTv2DWzMkA6yiWvRmc+kZLTLbng4UzPvtgO+YxIHz3MqCUEGmZXpk/82Rj1yZrQ
+3ulYNaAeRDLny0TXF2Hl9q3xvKv4LOe1gTMUWSyixEpD+EzuykzMZewUMi7CIrWLxTV
cIKT0VM1ICY11PCVL3sR3YmfdUW/LDwFvYJZmq32qGckzwR5hnP2x/OC9KPteZ3aAYZN
sWaA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=pczJLlS4;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wanadoo.fr
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
by mx.google.com with ESMTPS id
a62-20020a639041000000b00578d026e2eesi1187558pge.283.2023.10.28.06.55.23
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sat, 28 Oct 2023 06:55:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=pczJLlS4;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wanadoo.fr
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id D8FCE804C616;
Sat, 28 Oct 2023 06:55:22 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229610AbjJ1NzP (ORCPT <rfc822;peter110.wang@gmail.com>
+ 28 others); Sat, 28 Oct 2023 09:55:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48198 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229488AbjJ1NzN (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 28 Oct 2023 09:55:13 -0400
Received: from smtp.smtpout.orange.fr (smtp-22.smtpout.orange.fr
[80.12.242.22])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4961CED
for <linux-kernel@vger.kernel.org>;
Sat, 28 Oct 2023 06:55:10 -0700 (PDT)
Received: from pop-os.home ([86.243.2.178])
by smtp.orange.fr with ESMTPA
id wjmMqrqoPLilFwjmMqmAXJ; Sat, 28 Oct 2023 15:55:07 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wanadoo.fr;
s=t20230301; t=1698501308;
bh=QDDAkjDTfNEpw/wshaLCFDIwV6LReU6Ggu0GJWjqj6Q=;
h=From:To:Cc:Subject:Date;
b=pczJLlS4Ft5Nsvs8VT0hKx66s+tQvUDKhbWvAV+q1ZWhNbgM8tNhTceHCv0wmjUeQ
4ChR4r7nOQgaJcglERdNOyWwEN0NMK8yviJXFqpoePokbXMfQWoI/PqA+2OTZImwS8
c3cQMTajHH3zR0e7tpni7NlgyLvk7PsgNuFtmKoiXNnX6yyZ7bUQsLTLiZfTtE9uH8
IHOHzzNEu9EQurDmgr3UTpteovLjp2O69CtgNCB8FUMoG0PvBzuNjiIXtDzlttQqen
RI8U5KtJaDHLQ/DmooE5dyrEJfFsldW/FK9ngV0OmRq0/3vBbLc9I6cZTr1B+thNqa
YN6cPqqRRLQjQ==
X-ME-Helo: pop-os.home
X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI=
X-ME-Date: Sat, 28 Oct 2023 15:55:08 +0200
X-ME-IP: 86.243.2.178
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
To: Jason Wessel <jason.wessel@windriver.com>,
Daniel Thompson <daniel.thompson@linaro.org>,
Douglas Anderson <dianders@chromium.org>,
Martin Hicks <mort@sgi.com>
Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
kgdb-bugreport@lists.sourceforge.net
Subject: [PATCH] kdb: Fix a potential buffer overflow in kdb_local()
Date: Sat, 28 Oct 2023 15:55:00 +0200
Message-Id:
<0b1790ca91b71e3362a6a4c2863bc5787b4d60c9.1698501284.git.christophe.jaillet@wanadoo.fr>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Sat, 28 Oct 2023 06:55:22 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1781007723843453325
X-GMAIL-MSGID: 1781007723843453325
|
| Series |
kdb: Fix a potential buffer overflow in kdb_local()
|
|
Commit Message
Christophe JAILLET
Oct. 28, 2023, 1:55 p.m. UTC
When appending "[defcmd]" to 'kdb_prompt_str', the size of the string
already in the buffer should be taken into account.
Switch from strncat() to strlcat() which does the correct test to avoid
such an overflow.
Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
kernel/debug/kdb/kdb_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hi, On Sat, Oct 28, 2023 at 6:55 AM Christophe JAILLET <christophe.jaillet@wanadoo.fr> wrote: > > When appending "[defcmd]" to 'kdb_prompt_str', the size of the string > already in the buffer should be taken into account. > > Switch from strncat() to strlcat() which does the correct test to avoid > such an overflow. > > Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > --- > kernel/debug/kdb/kdb_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c > index 438b868cbfa9..e5f0bf0f45d1 100644 > --- a/kernel/debug/kdb/kdb_main.c > +++ b/kernel/debug/kdb/kdb_main.c > @@ -1350,7 +1350,7 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs, > snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"), > raw_smp_processor_id()); > if (defcmd_in_progress) > - strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN); > + strlcat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN); Some of this code is a bit hard to follow, but I think it's better to simply delete the whole "strncat". Specifically, as of commit a37372f6c3c0 ("kdb: Prevent kernel oops with kdb_defcmd") it's clear that "defcmd" can't actually be run to define new commands interactively. It's also clear to me that "defcmd_in_progress" is only set when defining new commands. The prompt being constructed here is a prompt that's printed to the end user when working interactively. That means the "if (defcmd_in_progress)" should never be true and it can be deleted as dead code. -Doug
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c index 438b868cbfa9..e5f0bf0f45d1 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -1350,7 +1350,7 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs, snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"), raw_smp_processor_id()); if (defcmd_in_progress) - strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN); + strlcat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN); /* * Fetch command from keyboard