Replacing strncpy with strlcpy to avoid strings that lacks null terminate.
And use the sizeof on the to string rather than the from string.
Signed-off-by: Rickard Strandqvist <[email protected]>
---
arch/x86/ia32/ia32_aout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
index d21ff89..1a5eb43 100644
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -156,7 +156,7 @@ static int aout_core_dump(struct coredump_params *cprm)
fs = get_fs();
set_fs(KERNEL_DS);
has_dumped = 1;
- strncpy(dump.u_comm, current->comm, sizeof(current->comm));
+ strlcpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
dump.u_ar0 = offsetof(struct user32, regs);
dump.signal = cprm->siginfo->si_signo;
dump_thread32(cprm->regs, &dump);
--
1.7.10.4
Rickard,
On Jul 26, 2014, at 2:50 PM, Rickard Strandqvist <[email protected]> wrote:
> Replacing strncpy with strlcpy to avoid strings that lacks null terminate.
> And use the sizeof on the to string rather than the from string.
>
> Signed-off-by: Rickard Strandqvist <[email protected]>
> ---
> arch/x86/ia32/ia32_aout.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
> index d21ff89..1a5eb43 100644
> --- a/arch/x86/ia32/ia32_aout.c
> +++ b/arch/x86/ia32/ia32_aout.c
> @@ -156,7 +156,7 @@ static int aout_core_dump(struct coredump_params *cprm)
> fs = get_fs();
> set_fs(KERNEL_DS);
> has_dumped = 1;
> - strncpy(dump.u_comm, current->comm, sizeof(current->comm));
> + strlcpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
> dump.u_ar0 = offsetof(struct user32, regs);
> dump.signal = cprm->siginfo->si_signo;
> dump_thread32(cprm->regs, &dump);
This patch appears to introduce an information leakage as well. The dump structure is on the stack and not cleared, so changing to strlcpy leaves part of the u_comm field holding unintialized data which is then written into the dump. The sizeof in the 3rd argument of the original is really an incorrect reference, as you corrected. A question to consider in this case: is the string in that structure expected to always be null-terminated or not. It is not the case that all such character arrays are expected to be. I don't happen to know in this case.
--
Mark Rustad, [email protected]