Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752781AbdLLWmy (ORCPT ); Tue, 12 Dec 2017 17:42:54 -0500 Received: from mail-io0-f170.google.com ([209.85.223.170]:40553 "EHLO mail-io0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752657AbdLLWmw (ORCPT ); Tue, 12 Dec 2017 17:42:52 -0500 X-Google-Smtp-Source: ACJfBouXCAYxaIXHhytdOIyoFL9jj17VGKt2jnukKcGp7UHI5KgU8u76jVVjqNwcFNn4zVuVEouQLYmfgcnlHuA667o= MIME-Version: 1.0 In-Reply-To: References: <20171207113324.24388-1-eguan@redhat.com> <9f0a9cf6-51f7-cd1f-5dc6-6d510a7b8ec4@virtuozzo.com> <46584b52-f2f2-a602-1ae6-cfa0e321324a@virtuozzo.com> <2a9ca72e28ba44198f07f4e412970ad9@AcuMS.aculab.com> From: Linus Torvalds Date: Tue, 12 Dec 2017 14:42:51 -0800 X-Google-Sender-Auth: d_sOXNBduAfHeNMiySrjNKRLdF4 Message-ID: Subject: Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy To: Andrey Ryabinin Cc: David Laight , Kees Cook , Dmitry Vyukov , Eryu Guan , LKML , Andrew Morton , Chris Metcalf , Alexander Potapenko Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 590 Lines: 18 On Tue, Dec 12, 2017 at 8:06 AM, Andrey Ryabinin wrote: > > See for yourself, strscpy() is the only sting function doing this. No, strnlen_user() definitely does too. It's just that KASAN doesn't track user pointers. And the important strlen() in the kernel is the pathname hashing code, which *definitely* accesses outside the source, but since it can actually traverse to another page we have that one annotated too (with load_unaligned_zeropad()). So no, strscpy() isn't the only one doing it, it is just the only one that KASAN catches. Linus