Re: [PATCH] Fix read buffer overflow in delta-ipc

From: Andi Kleen
Date: Wed Jan 03 2018 - 19:19:39 EST

Next message: Jiri Kosina: "Re: Avoid speculative indirect calls in kernel"
Previous message: Andrew Morton: "Re: [PATCH] mm/fadvise: discard partial pages iff endbyte is also eof"
In reply to: Hugues FRUCHET: "Re: [PATCH] Fix read buffer overflow in delta-ipc"
Next in thread: Hugues FRUCHET: "Re: [PATCH] Fix read buffer overflow in delta-ipc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 03, 2018 at 09:40:04AM +0000, Hugues FRUCHET wrote:
> Hi Andi,
> Thanks for the patch but I would suggest to use strlcpy instead, this
> will guard msg.name overwriting and add the NULL termination in case
> of truncation:
> - memcpy(msg.name, name, sizeof(msg.name));
> - msg.name[sizeof(msg.name) - 1] = 0;
> + strlcpy(msg.name, name, sizeof(msg.name));

I'm not an expert on your setup, but it seems strlcpy would leak some
uninitialized stack data over your ipc mechanism. strclpy doesn't pad the
data. If the IPC is a security boundary that would be a security bug.

So I think the original patch is better than strlcpy.

-Andi

Next message: Jiri Kosina: "Re: Avoid speculative indirect calls in kernel"
Previous message: Andrew Morton: "Re: [PATCH] mm/fadvise: discard partial pages iff endbyte is also eof"
In reply to: Hugues FRUCHET: "Re: [PATCH] Fix read buffer overflow in delta-ipc"
Next in thread: Hugues FRUCHET: "Re: [PATCH] Fix read buffer overflow in delta-ipc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]