Re: [PATCH] vt: Fix potential read overflow of kernel memory

From: Azeem Shaikh
Date: Wed Aug 30 2023 - 15:56:46 EST

Next message: Kees Cook: "Re: [PATCH] vt: Fix potential read overflow of kernel memory"
Previous message: Douglas Anderson: "[PATCH v12 7/7] arm64: smp: Mark IPI globals as __ro_after_init"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] vt: Fix potential read overflow of kernel memory"
Next in thread: Kees Cook: "Re: [PATCH] vt: Fix potential read overflow of kernel memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 30, 2023 at 1:57 PM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Wed, Aug 30, 2023 at 04:04:10PM +0000, Azeem Shaikh wrote:
> > strlcpy() reads the entire source buffer first.
> > This read may exceed the destination size limit if
> > a source string is not NUL-terminated [1].
>
> But that's not the case here, right? So your "potential read overflow"
> isn't relevant here.
>
> > The copy_to_user() call uses @len returned from strlcpy() directly
> > without checking its value. This could potentially lead to read
> > overflow.
>
> But can it? How?
>

The case I was considering is when the null-terminated hardcoded
string @func_table[kb_func] has length @new_len > @len. In this case,
strlcpy() will assign @len = @new_len and copy_to_user() would read
@new_len from the kmalloc-ed memory of @len. This is the potential
read overflow I was referring to. Let me know if I'm mistaken.

Next message: Kees Cook: "Re: [PATCH] vt: Fix potential read overflow of kernel memory"
Previous message: Douglas Anderson: "[PATCH v12 7/7] arm64: smp: Mark IPI globals as __ro_after_init"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] vt: Fix potential read overflow of kernel memory"
Next in thread: Kees Cook: "Re: [PATCH] vt: Fix potential read overflow of kernel memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]