| Message ID | 20231018180709.work.293-kees@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id
ib8csp4975328vqb;
Wed, 18 Oct 2023 11:07:31 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IHwHKOlLb8qB04s1fCUolzGhXidCfjVI10sI3572Ymd+bm8W8eZxmxnSVcWG+4z35jEWMGW
X-Received: by 2002:a05:6a20:7286:b0:160:97a3:cae9 with SMTP id
o6-20020a056a20728600b0016097a3cae9mr6856308pzk.54.1697652451016;
Wed, 18 Oct 2023 11:07:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697652451; cv=none;
d=google.com; s=arc-20160816;
b=ta0B+F/Ul0iZlr0o+8CdHhRf1DsGbo/evAuX0gXU78jNtM0cKEolQR6Sy8RoNrplAh
iTiGCERgmgAXD9vklg0O9og5wvUHcJ9YHv2cVGsxsWSKz+uEBcaTmbFW5gf00+utbC5n
roWeGtIULOix8HYVfdeL83Nz0950GGdEPg9gqCdfzmhvaGnoLfNKIwSkUchnUWjJO2Wn
rxmPfuTdn6a72z6YlYg9yy/EPa+6f8KhGLIYZ8CSv/bppBO1h7r2d80YUWHD1UOG2OvS
VWxDbVBg+3QXWqGITn3xpnmUs5dSva6XWL9jdNtPELnNve/B/pLq0AWcYNR4/+JRYn0H
kYsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=XonaI8Xf/SLuA38iJr1RRfWuXVp5bhd8ehTmRJBXQ1A=;
fh=pmVS04wpeBoVWQJHwXamRlFk5XPYIsoYM6HSNPcJllg=;
b=QCxCgQv6s2OiRJ47a4Yn35nhVi2t8xt94DwAuOXpdqDcYQhTboGR3347AQnhd0fDO8
2QgAGeaidnBq9ZR4LeenmTdJqQf0t/O/vk1rGXBGW1j8si+zTynIoMkbNc06ESJqhDQN
8QqrQ/igiQuF5qsBG9Zf8fyqcXSL/0rcsjGAV1ka51HCHeUpIphXFzhC51fddZ56hyD0
LRQwBkdJhxU8LOltULBbiSuQnbKi0D/lXax4Y/YlzrKwEaMbz91HWUd4u4AvAxB/O5oq
98gcz3G7vZX5pjQ8JE4Ji1eh8iGDTDxeltCit7zlmkQDkof+msLHB112rAzqf9+jXP3v
Y7TA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=jsCio2pz;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
by mx.google.com with ESMTPS id
ep22-20020a17090ae65600b0027924ff5de3si382640pjb.68.2023.10.18.11.07.30
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 18 Oct 2023 11:07:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=jsCio2pz;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id 9AD83805F099;
Wed, 18 Oct 2023 11:07:29 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231848AbjJRSH1 (ORCPT <rfc822;zwp10758@gmail.com> + 24 others);
Wed, 18 Oct 2023 14:07:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53592 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230088AbjJRSHY (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 18 Oct 2023 14:07:24 -0400
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com
[IPv6:2607:f8b0:4864:20::430])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD2B411F
for <linux-kernel@vger.kernel.org>;
Wed, 18 Oct 2023 11:07:22 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id
d2e1a72fcca58-6b497c8575aso5214766b3a.1
for <linux-kernel@vger.kernel.org>;
Wed, 18 Oct 2023 11:07:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1697652442; x=1698257242;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=XonaI8Xf/SLuA38iJr1RRfWuXVp5bhd8ehTmRJBXQ1A=;
b=jsCio2pz4AKPS9kJon3SZ6ovCU2LvJeLcwusI5VA/Moj02q2JBhz1LuFon1sDDZqYw
DRpBpOM9zmUXRqNU6zPaqWbVz+Pqq15nCuAC1jxTa1YJzYctIgJqE36uy/79gYi20s/A
JSuc1+uqTrC7k4bGSQstiHJ3bWCe2vipn+7ho=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1697652442; x=1698257242;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=XonaI8Xf/SLuA38iJr1RRfWuXVp5bhd8ehTmRJBXQ1A=;
b=Pbi6js98tIXCmkSCH49LQ4CdYHrtoSeLE5kEp5OiKtxzpsWmqDGscLrfSR3LG87gg+
b27s6sw/GQNYr802xT8+MOWRchfkavIb/4cgA/sFxtuidhjDGwM6fF8vRerM2L+1G/hp
qbAgxQm5XT5tpRLE96FLWHF5z4YDaeUZ900u8Y0wQFLvl/G67KAwAUkMzdFukDBEKNUf
RJFyEDJlSZ7dwdV/F2NwQNKPcARzkZeSGnO/pIrnZQcGIxknY4qZGvzf2kB4MHulbTw/
ORRQGiT1u+/8EBUacRvaXgbo7uvQ/GYAsLzksm1xruZhA9lQbAPtRij9Fsjv7vAL/zLF
/8Sw==
X-Gm-Message-State: AOJu0Yxsxpy66mWqC1+Y14vp9aQPVBQ08ReT7e8R+J26ewNINlOJBbOL
l/hSAXpH2QrVBYkwzdFUcdQSgg==
X-Received: by 2002:a05:6a00:b46:b0:6be:4e6e:2a85 with SMTP id
p6-20020a056a000b4600b006be4e6e2a85mr7147729pfo.30.1697652442150;
Wed, 18 Oct 2023 11:07:22 -0700 (PDT)
Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net.
[198.0.35.241])
by smtp.gmail.com with ESMTPSA id
x26-20020aa79ada000000b0069309cbc220sm3625673pfp.121.2023.10.18.11.07.21
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 18 Oct 2023 11:07:21 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Andy Shevchenko <andy@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] string: Adjust strtomem_pad() logic to allow for smaller
sources
Date: Wed, 18 Oct 2023 11:07:17 -0700
Message-Id: <20231018180709.work.293-kees@kernel.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=2772; i=keescook@chromium.org;
h=from:subject:message-id; bh=Rt1eV6YjyZR8hPzO/9qK3HhySIUW19g/DhKIx9uJ9jQ=;
b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlMB7VZWKyUdda+qSVCCbnpliyQcdpJPLHtjhC6
wQ+xa1Q9k2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZTAe1QAKCRCJcvTf3G3A
JvLtD/4vR8iWSvia1DQYbZ8m+tqzhImzUGpErsH/KDBTULSjLG+5iWaI1Sk4C2zSlqEzo7SqEXM
Kt3AZDESIQynRLJky5h+GNObiXryvBdfesyvC1ycPKr5Aror8ouzxAFzwgl6IRtNFLsn5z/9+VX
5chlFTq8xtubHLh3BXGvqQvKjRAdzDVBCGx9x5g/7rLJGaBD3rhJj6eYMsJpvwmFDc6EEyG8HKD
YxeBhJLkHBSnkMpFRVYspLGVmsEa+lvAOHwfQa15huGvb4AtnJsoS85L0hXWbzNfjp5aDB1TzzL
+38CUoVhtBzuAnEyXBWadZV06HbXyl6M3PEFE7kF+w47SGFXJ85SCN9Gm44sTyZDDxiUsLoiWjy
6jeKdH4O6pGyXuXlEnpEEBsIzmxzVF9Rl74P5e7vC7Eli1Jz7ILMVEpbrINStNOOkUBizb7oalu
ZEIQrRlZWjm0Q+iD1y5oFExoM0edBPWIgBsi0qnWyQdnSFJk+2iySCuSaQczSAvorCWOukEZlRy
iF3WFmv3J2WdEgXos+iuNxMbZalvvBAHYgdQleYGEoG2pdBz73lTvz3/bH2+Y4B/WTgvUwVjLre
ljV/6yoBVamHn6dHWUj1x6AFevYMlr897FIZ07lhgqZpRDCBzmMjPvQNMCEC8mRyTvmsO0EiXNq
HaRyCCV cae/bc5Q==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Wed, 18 Oct 2023 11:07:29 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1780117616712669006
X-GMAIL-MSGID: 1780117616712669006
|
| Series |
string: Adjust strtomem_pad() logic to allow for smaller sources
|
|
Commit Message
Kees Cook
Oct. 18, 2023, 6:07 p.m. UTC
Arnd noticed we have a case where a shorter source string is being copied
into a destination byte array, but this results in a strnlen() call that
exceeds the size of the source. This is seen with -Wstringop-overread:
In file included from ../include/linux/uuid.h:11,
from ../include/linux/mod_devicetable.h:14,
from ../include/linux/cpufeature.h:12,
from ../arch/x86/coco/tdx/tdx.c:7:
../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop':
../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 exceeds source size 60 [-Werror=stringop-overread]
284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 'strtomem_pad'
124 | strtomem_pad(message.str, msg, '\0');
| ^~~~~~~~~~~~
Use the smaller of the two buffer sizes when calling strnlen(). When
src length is unknown (SIZE_MAX), it will use dest length, which is what
the original code did.
Reported-by: Arnd Bergmann <arnd@arndb.de>
Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()")
Cc: Andy Shevchenko <andy@kernel.org>
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/string.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
Comments
On Wed, Oct 18, 2023, at 20:07, Kees Cook wrote: > Arnd noticed we have a case where a shorter source string is being copied > into a destination byte array, but this results in a strnlen() call that > exceeds the size of the source. This is seen with -Wstringop-overread: > > In file included from ../include/linux/uuid.h:11, > from ../include/linux/mod_devicetable.h:14, > from ../include/linux/cpufeature.h:12, > from ../arch/x86/coco/tdx/tdx.c:7: > ../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop': > ../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 > exceeds source size 60 [-Werror=stringop-overread] > 284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, > _dest_len), pad); \ > | > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro > 'strtomem_pad' > 124 | strtomem_pad(message.str, msg, '\0'); > | ^~~~~~~~~~~~ > > Use the smaller of the two buffer sizes when calling strnlen(). When > src length is unknown (SIZE_MAX), it will use dest length, which is what > the original code did. > > Reported-by: Arnd Bergmann <arnd@arndb.de> > Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()") > Cc: Andy Shevchenko <andy@kernel.org> > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Thanks for addressing this, looks good Tested-by: Arnd Bergmann <arnd@arndb.de>
diff --git a/include/linux/string.h b/include/linux/string.h index dbfc66400050..9e3cb6923b0e 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -277,10 +277,12 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, */ #define strtomem_pad(dest, src, pad) do { \ const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _src_len = __builtin_object_size(src, 1); \ \ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \ _dest_len == (size_t)-1); \ - memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \ + memcpy_and_pad(dest, _dest_len, src, \ + strnlen(src, min(_src_len, _dest_len)), pad); \ } while (0) /** @@ -298,10 +300,11 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, */ #define strtomem(dest, src) do { \ const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _src_len = __builtin_object_size(src, 1); \ \ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \ _dest_len == (size_t)-1); \ - memcpy(dest, src, min(_dest_len, strnlen(src, _dest_len))); \ + memcpy(dest, src, strnlen(src, min(_src_len, _dest_len))); \ } while (0) /**