Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5j+OTu84ohuR3f4_xKRw9vikVi-K2TnH3+n_ekX1m1Vv8A@mail.gmail.com>
Date: Wed, 7 Mar 2018 09:20:31 -0800
From: Kees Cook <keescook@...omium.org>
To: Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, LKML <linux-kernel@...r.kernel.org>, 
	"Tobin C. Harding" <me@...in.cc>, Tycho Andersen <tycho@...ho.ws>, Oleg Drokin <oleg.drokin@...el.com>, 
	Andreas Dilger <andreas.dilger@...el.com>, James Simmons <jsimmons@...radead.org>, 
	Dmitry Eremin <dmitry.eremin@...el.com>, Gargi Sharma <gs051095@...il.com>, 
	Lustre Development List <lustre-devel@...ts.lustre.org>, devel@...verdev.osuosl.org, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH] staging: lustre: Remove VLA usage

On Wed, Mar 7, 2018 at 5:10 AM, Rasmus Villemoes
<rasmus.villemoes@...vas.dk> wrote:
> On 2018-03-07 06:46, Kees Cook wrote:
>> The kernel would like to remove all VLA usage. This switches to a
>> simple kasprintf() instead.
>>
>> Signed-off-by: Kees Cook <keescook@...omium.org>
>> ---
>>  drivers/staging/lustre/lustre/llite/xattr.c | 19 +++++++++++++------
>>  1 file changed, 13 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/staging/lustre/lustre/llite/xattr.c b/drivers/staging/lustre/lustre/llite/xattr.c
>> index 532384c91447..aab4eab64289 100644
>> --- a/drivers/staging/lustre/lustre/llite/xattr.c
>> +++ b/drivers/staging/lustre/lustre/llite/xattr.c
>> @@ -87,7 +87,7 @@ ll_xattr_set_common(const struct xattr_handler *handler,
>>                   const char *name, const void *value, size_t size,
>>                   int flags)
>>  {
>> -     char fullname[strlen(handler->prefix) + strlen(name) + 1];
>> +     char *fullname;
>>       struct ll_sb_info *sbi = ll_i2sbi(inode);
>>       struct ptlrpc_request *req = NULL;
>>       const char *pv = value;
>> @@ -141,10 +141,13 @@ ll_xattr_set_common(const struct xattr_handler *handler,
>>                       return -EPERM;
>>       }
>>
>> -     sprintf(fullname, "%s%s\n", handler->prefix, name);
>
> It's probably worth pointing out that this actually fixes an
> unconditional buffer overflow: fullname only has room for the two
> strings and the '\n', but vsnprintf() is told that the buffer has
> infinite size (well, INT_MAX), so there should be plenty of room to
> append the '\0' after the '\n'.
>
>> +     fullname = kasprintf(GFP_KERNEL, "%s%s\n", handler->prefix, name);
>> +     if (!fullname)
>> +             return -ENOMEM;
>>       rc = md_setxattr(sbi->ll_md_exp, ll_inode2fid(inode),
>>                        valid, fullname, pv, size, 0, flags,
>>                        ll_i2suppgid(inode), &req);
>> +     kfree(fullname);
>>       if (rc) {
>>               if (rc == -EOPNOTSUPP && handler->flags == XATTR_USER_T) {
>>                       LCONSOLE_INFO("Disabling user_xattr feature because it is not supported on the server\n");
>> @@ -364,7 +367,7 @@ static int ll_xattr_get_common(const struct xattr_handler *handler,
>>                              struct dentry *dentry, struct inode *inode,
>>                              const char *name, void *buffer, size_t size)
>>  {
>> -     char fullname[strlen(handler->prefix) + strlen(name) + 1];
>> +     char *fullname;
>>       struct ll_sb_info *sbi = ll_i2sbi(inode);
>>  #ifdef CONFIG_FS_POSIX_ACL
>>       struct ll_inode_info *lli = ll_i2info(inode);
>> @@ -411,9 +414,13 @@ static int ll_xattr_get_common(const struct xattr_handler *handler,
>>       if (handler->flags == XATTR_ACL_DEFAULT_T && !S_ISDIR(inode->i_mode))
>>               return -ENODATA;
>>  #endif
>> -     sprintf(fullname, "%s%s\n", handler->prefix, name);
>
> Same here.
>
> I'm a little surprised this hasn't been caugt by static analysis, I
> thought gcc/coverity/smatch/whatnot had gotten pretty good at computing
> the size of the output generated by a given format string with "known"
> arguments and comparing to the size of the output buffer. Though of
> course it does require the tool to be able to do symbolic manipulations,
> in this case realizing that
>
> outsize == strlen(x)+strlen(y)+1+1 > bufsize == strlen(x)+strlen(y)+1
>
> Rasmus

Oh yes, hah. I didn't even see the \n in the string. :P

So, both a VLA fix and a buffer over-run fix. Can I add your "Reviewed-by"? :)

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.