|
Message-ID: <20180308104309.l3j2deqrgq5d472g@mwanda> Date: Thu, 8 Mar 2018 13:43:09 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Rasmus Villemoes <rasmus.villemoes@...vas.dk> Cc: Kees Cook <keescook@...omium.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, devel@...verdev.osuosl.org, Dmitry Eremin <dmitry.eremin@...el.com>, Tycho Andersen <tycho@...ho.ws>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, linux-kernel@...r.kernel.org, Gargi Sharma <gs051095@...il.com>, Oleg Drokin <oleg.drokin@...el.com>, Andreas Dilger <andreas.dilger@...el.com>, lustre-devel@...ts.lustre.org Subject: Re: [PATCH] staging: lustre: Remove VLA usage On Wed, Mar 07, 2018 at 02:10:41PM +0100, Rasmus Villemoes wrote: > On 2018-03-07 06:46, Kees Cook wrote: > > The kernel would like to remove all VLA usage. This switches to a > > simple kasprintf() instead. > > > > Signed-off-by: Kees Cook <keescook@...omium.org> > > --- > > drivers/staging/lustre/lustre/llite/xattr.c | 19 +++++++++++++------ > > 1 file changed, 13 insertions(+), 6 deletions(-) > > > > diff --git a/drivers/staging/lustre/lustre/llite/xattr.c b/drivers/staging/lustre/lustre/llite/xattr.c > > index 532384c91447..aab4eab64289 100644 > > --- a/drivers/staging/lustre/lustre/llite/xattr.c > > +++ b/drivers/staging/lustre/lustre/llite/xattr.c > > @@ -87,7 +87,7 @@ ll_xattr_set_common(const struct xattr_handler *handler, > > const char *name, const void *value, size_t size, > > int flags) > > { > > - char fullname[strlen(handler->prefix) + strlen(name) + 1]; > > + char *fullname; > > struct ll_sb_info *sbi = ll_i2sbi(inode); > > struct ptlrpc_request *req = NULL; > > const char *pv = value; > > @@ -141,10 +141,13 @@ ll_xattr_set_common(const struct xattr_handler *handler, > > return -EPERM; > > } > > > > - sprintf(fullname, "%s%s\n", handler->prefix, name); > > It's probably worth pointing out that this actually fixes an > unconditional buffer overflow: fullname only has room for the two > strings and the '\n', but vsnprintf() is told that the buffer has > infinite size (well, INT_MAX), so there should be plenty of room to > append the '\0' after the '\n'. > > > + fullname = kasprintf(GFP_KERNEL, "%s%s\n", handler->prefix, name); > > + if (!fullname) > > + return -ENOMEM; > > rc = md_setxattr(sbi->ll_md_exp, ll_inode2fid(inode), > > valid, fullname, pv, size, 0, flags, > > ll_i2suppgid(inode), &req); > > + kfree(fullname); > > if (rc) { > > if (rc == -EOPNOTSUPP && handler->flags == XATTR_USER_T) { > > LCONSOLE_INFO("Disabling user_xattr feature because it is not supported on the server\n"); > > @@ -364,7 +367,7 @@ static int ll_xattr_get_common(const struct xattr_handler *handler, > > struct dentry *dentry, struct inode *inode, > > const char *name, void *buffer, size_t size) > > { > > - char fullname[strlen(handler->prefix) + strlen(name) + 1]; > > + char *fullname; > > struct ll_sb_info *sbi = ll_i2sbi(inode); > > #ifdef CONFIG_FS_POSIX_ACL > > struct ll_inode_info *lli = ll_i2info(inode); > > @@ -411,9 +414,13 @@ static int ll_xattr_get_common(const struct xattr_handler *handler, > > if (handler->flags == XATTR_ACL_DEFAULT_T && !S_ISDIR(inode->i_mode)) > > return -ENODATA; > > #endif > > - sprintf(fullname, "%s%s\n", handler->prefix, name); > > Same here. > > I'm a little surprised this hasn't been caugt by static analysis, I > thought gcc/coverity/smatch/whatnot had gotten pretty good at computing > the size of the output generated by a given format string with "known" > arguments and comparing to the size of the output buffer. Though of > course it does require the tool to be able to do symbolic manipulations, > in this case realizing that > > outsize == strlen(x)+strlen(y)+1+1 > bufsize == strlen(x)+strlen(y)+1 That kind of symbolic manipulation is crazy hard to do. regards, dan carpenter
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.