Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752671AbdLHUyL (ORCPT ); Fri, 8 Dec 2017 15:54:11 -0500 Received: from mail-vk0-f65.google.com ([209.85.213.65]:40826 "EHLO mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750908AbdLHUyJ (ORCPT ); Fri, 8 Dec 2017 15:54:09 -0500 X-Google-Smtp-Source: AGs4zMaXH5VKz+aPrs+/7QI7fLsm7BNK9QOUOfXRJFt3aYie31QHv11tyqNLGGEuq7AlCZPXAsK3Xn7B5Kbba6O+TiE= MIME-Version: 1.0 In-Reply-To: References: <20171207113324.24388-1-eguan@redhat.com> <9f0a9cf6-51f7-cd1f-5dc6-6d510a7b8ec4@virtuozzo.com> From: Kees Cook Date: Fri, 8 Dec 2017 12:54:07 -0800 X-Google-Sender-Auth: kjPxNjkjRtWb_viA81q5TR12uBY Message-ID: Subject: Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy To: Dmitry Vyukov Cc: Andrey Ryabinin , Eryu Guan , LKML , Andrew Morton , Chris Metcalf , Alexander Potapenko , Linus Torvalds Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2884 Lines: 70 On Fri, Dec 8, 2017 at 7:29 AM, Dmitry Vyukov wrote: > On Fri, Dec 8, 2017 at 4:29 PM, Andrey Ryabinin wrote: >> On 12/07/2017 09:26 PM, Kees Cook wrote: >>> On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan wrote: >>>> strscpy() tries to copy sizeof(unsigned long) bytes a time from src >>>> to dest when possible, and stops the loop when 'max' is less than >>>> sizeof(unsigned long). But it doesn't check if (src+res) goes beyond >>>> src buffer and does out-of-bound access to the underlying memory. >>>> >>>> KASAN reported global-out-of-bound bug when reading seccomp >>>> actions_logged file in procfs: >>>> >>>> cat /proc/sys/kernel/seccomp/actions_logged >>>> >>>> Because seccomp_names_from_actions_logged() is copying short strings >>>> (less than sizeof(unsigned long)) to buffer 'names'. e.g. >>>> >>>> ret = strscpy(names, " ", size); >>> >>> This is a false positive: >>> https://marc.info/?l=linux-kernel&m=150768944030805&w=2 >>> >>> Given that we keep getting these reports (this is the third), I wonder >>> if can adjust the seccomp code to work around the bug in KASAN... >>> >> >> We should fix this in strscpy() somehow. We just need to decide how to do this. >> Last time we haven't came to agreement. >> >> So, possible solutions are: >> >> 1) Simply disable word-at-a-time optimization in strscpy(). I seriously doubt >> that this optimization have noticeable performance impact in real workloads. >> >> 2) Apply patch https://lkml.kernel.org/r/20170718171523.32208-1-aryabinin@virtuozzo.com >> It's a simple, minimally intrusive way to fix the bug. >> However, the patch changes semantics/implementation of the strscpy() which is bad idea. >> It basically means that we use one implementation of the strscpy() but test with KASAN another implementation. >> For that reason patch wasn't liked by Linus. >> >> 3) Introduce read_once_partial_check() function and use it in strscpy(). >> read_once_partial_check() supposed to read one word, but KASAN will check only the first byte of the access. >> Dmitry didn't like this. I'm also not fan of this solution, because we may not notice some real bugs, e.g.: >> >> char dst[8]; >> char *src; >> >> src = kmalloc(5, GFP_KERNEL); >> memset(src, 0xff, 5); >> strscpy(dst, src, 8); >> >> stscpy() will copy from 6 up to 8 bytes (exact size depends on what is stored in src[5-7]) >> from non-null terminated src. With read_once_partial_check() used in strscpy() KASAN will >> not report such bug. >> >> >> So, what it's gonna be? Let's finally decide something and deal with the problem. >> My vote belongs to 1) or 2). > > > My vote is for 1) if we agree that the optimization is not worth it, > otherwise for 2). Who would be the best person to measure the difference for 1)? -Kees -- Kees Cook Pixel Security