Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5j+OTu84ohuR3f4_xKRw9vikVi-K2TnH3+n_ekX1m1Vv8A@mail.gmail.com>
Date: Wed, 7 Mar 2018 09:20:31 -0800
From: Kees Cook <keescook@...omium.org>
To: Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, LKML <linux-kernel@...r.kernel.org>, 
	"Tobin C. Harding" <me@...in.cc>, Tycho Andersen <tycho@...ho.ws>, Oleg Drokin <oleg.drokin@...el.com>, 
	Andreas Dilger <andreas.dilger@...el.com>, James Simmons <jsimmons@...radead.org>, 
	Dmitry Eremin <dmitry.eremin@...el.com>, Gargi Sharma <gs051095@...il.com>, 
	Lustre Development List <lustre-devel@...ts.lustre.org>, devel@...verdev.osuosl.org, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH] staging: lustre: Remove VLA usage

On Wed, Mar 7, 2018 at 5:10 AM, Rasmus Villemoes
<rasmus.villemoes@...vas.dk> wrote:
> On 2018-03-07 06:46, Kees Cook wrote:
>> The kernel would like to remove all VLA usage. This switches to a
>> simple kasprintf() instead.
>>
>> Signed-off-by: Kees Cook <keescook@...omium.org>
>> ---
>>  drivers/staging/lustre/lustre/llite/xattr.c | 19 +++++++++++++------
>>  1 file changed, 13 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/staging/lustre/lustre/llite/xattr.c b/drivers/staging/lustre/lustre/llite/xattr.c
>> index 532384c91447..aab4eab64289 100644
>> --- a/drivers/staging/lustre/lustre/llite/xattr.c
>> +++ b/drivers/staging/lustre/lustre/llite/xattr.c
>> @@ -87,7 +87,7 @@ ll_xattr_set_common(const struct xattr_handler *handler,
>>                   const char *name, const void *value, size_t size,
>>                   int flags)
>>  {
>> -     char fullname[strlen(handler->prefix) + strlen(name) + 1];
>> +     char *fullname;
>>       struct ll_sb_info *sbi = ll_i2sbi(inode);
>>       struct ptlrpc_request *req = NULL;
>>       const char *pv = value;
>> @@ -141,10 +141,13 @@ ll_xattr_set_common(const struct xattr_handler *handler,
>>                       return -EPERM;
>>       }
>>
>> -     sprintf(fullname, "%s%s\n", handler->prefix, name);
>
> It's probably worth pointing out that this actually fixes an
> unconditional buffer overflow: fullname only has room for the two
> strings and the '\n', but vsnprintf() is told that the buffer has
> infinite size (well, INT_MAX), so there should be plenty of room to
> append the '\0' after the '\n'.
>
>> +     fullname = kasprintf(GFP_KERNEL, "%s%s\n", handler->prefix, name);
>> +     if (!fullname)
>> +             return -ENOMEM;
>>       rc = md_setxattr(sbi->ll_md_exp, ll_inode2fid(inode),
>>                        valid, fullname, pv, size, 0, flags,
>>                        ll_i2suppgid(inode), &req);
>> +     kfree(fullname);
>>       if (rc) {
>>               if (rc == -EOPNOTSUPP && handler->flags == XATTR_USER_T) {
>>                       LCONSOLE_INFO("Disabling user_xattr feature because it is not supported on the server\n");
>> @@ -364,7 +367,7 @@ static int ll_xattr_get_common(const struct xattr_handler *handler,
>>                              struct dentry *dentry, struct inode *inode,
>>                              const char *name, void *buffer, size_t size)
>>  {
>> -     char fullname[strlen(handler->prefix) + strlen(name) + 1];
>> +     char *fullname;
>>       struct ll_sb_info *sbi = ll_i2sbi(inode);
>>  #ifdef CONFIG_FS_POSIX_ACL
>>       struct ll_inode_info *lli = ll_i2info(inode);
>> @@ -411,9 +414,13 @@ static int ll_xattr_get_common(const struct xattr_handler *handler,
>>       if (handler->flags == XATTR_ACL_DEFAULT_T && !S_ISDIR(inode->i_mode))
>>               return -ENODATA;
>>  #endif
>> -     sprintf(fullname, "%s%s\n", handler->prefix, name);
>
> Same here.
>
> I'm a little surprised this hasn't been caugt by static analysis, I
> thought gcc/coverity/smatch/whatnot had gotten pretty good at computing
> the size of the output generated by a given format string with "known"
> arguments and comparing to the size of the output buffer. Though of
> course it does require the tool to be able to do symbolic manipulations,
> in this case realizing that
>
> outsize == strlen(x)+strlen(y)+1+1 > bufsize == strlen(x)+strlen(y)+1
>
> Rasmus

Oh yes, hah. I didn't even see the \n in the string. :P

So, both a VLA fix and a buffer over-run fix. Can I add your "Reviewed-by"? :)

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.