Re: [PATCH] kernfs: fix potential null-ptr-deref in kernfs_path_from_node_locked()
From: Leizhen (ThunderTown)
Date: Wed Nov 23 2022 - 21:28:30 EST
On 2022/11/24 10:24, Leizhen (ThunderTown) wrote:
>
>
> On 2022/11/24 0:55, Tejun Heo wrote:
>> On Wed, Nov 23, 2022 at 10:04:19AM +0800, Zhen Lei wrote:
>>> Ensure that the 'buf' is not empty before strlcpy() uses it.
>>>
>>> Commit bbe70e4e4211 ("fs: kernfs: Fix possible null-pointer dereferences
>>> in kernfs_path_from_node_locked()") first noticed this, but it didn't
>>> fix it completely.
>>>
>>> Fixes: 9f6df573a404 ("kernfs: Add API to generate relative kernfs path")
>>> Signed-off-by: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
>>
>> I think the right thing to do is removing that if. It makes no sense to call
>> that function with NULL buf and the fact that nobody reported crashes on
>> NULL buf indicates that we in fact never do.
>
> OK.
>
> How about I remove "buf[0] = '\0';" too? It seems to be a useless operation.
> When 'kn_from' and 'kn_to' have a common ancestor, there must be a path from
> 'kn_from' to 'kn_to', and strlcpy() always fills in the terminator correctly,
> even if the buf is too small to save the first path node.
Sorry, I misanalyzed. The length used by "len < buflen ? buflen - len : 0" may
be zero.
>
> static void test(void)
> {
> char buf[4];
> int i, n, buflen;
>
> buflen = 1;
> n = strlcpy(buf, "string", buflen);
> for (i = 0; i < buflen; i++)
> printk("%d: %02x\n", i, buf[i]);
> printk("n=%d\n\n", n);
>
> buflen = sizeof(buf);
> n = strlcpy(buf, "string", buflen);
> for (i = 0; i < buflen; i++)
> printk("%d: %02x\n", i, buf[i]);
> printk("n=%d\n", n);
> }
>
> Output:
> [ 33.691497] 0: 00
> [ 33.691569] n=6
>
> [ 33.691595] 0: 73
> [ 33.691622] 1: 74
> [ 33.691630] 2: 72
> [ 33.691637] 3: 00
> [ 33.691650] n=6
>
>>
>> Thanks.
>>
>
--
Regards,
Zhen Lei