Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp527919imu; Wed, 16 Jan 2019 03:15:13 -0800 (PST) X-Google-Smtp-Source: ALg8bN6MTCwTFzUrjE7IrjDVSkjK+9lU3d7Rws7y1JGkAQNcKMbUYcx7ZLXYmW6Fy4uOFn3Qfu3c X-Received: by 2002:a63:78cd:: with SMTP id t196mr8448909pgc.62.1547637313800; Wed, 16 Jan 2019 03:15:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547637313; cv=none; d=google.com; s=arc-20160816; b=OgXU952W1xa4JYuPG7lxkjNfrsrM7GM/Oi9TNYfBoeYhPfzBlgduthWzM9bfF2LxYp lvCCGo9OoEZi5518s9bOmNCTvhZoQicxHkqUl+pP3UbvCNsUaLCmXxyNNuv++7zPNjIP 8B1ktnf0hgi0bFhfkIWqXhe88SDmvopsZ14AVaiByTRxE6MbgAYR5+W4aPDl9SEi2BMY twRADfLVUyyaBLaU786n99r8R04kUTegxaUDGm9EGIC9mrV2WefRXN15b/p3drZiO6nX fCWQXHoPl5evmTfNLoAEbOBZvfddoAku2cyCZ179D4jCOp6bkk7cFuTF8DHlmsMT1+fK NqXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=fl69mbl3aeJV852DXL+mW58QS5k6Dpd7g/JVmja/bME=; b=s7HciXr/64YdIACwHGOzaP+lK2b7h6HBCI3NziOxFI4s5jpCRAQqK1ikQKK2QJOWhJ aJkz6ds955xZLBtQczKNWVAi8oxIebzcOVS0jqjQNuXShezkDBk54s6cGOpkNcSIQBb6 TZQlEut00joRX/frhcgzREaTe3vBKR1bKxK0sIrcTCvW7Ichd1Lwgyp6zPVL++aARFMS pNw6oh6bR+KQTIpNOd+0b/gIU2zLdT1lHJcQdcqQugpVvb+kD1GU13ntWImDhh5OQc+t dBDDeQetIBVTCQO49XkMQO7BxK4hnBtvR+CaD++zJxb4WfNFL0aMo0Hw/YLStN7SiCpS mFSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OPbI2REp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t77si5829068pgb.51.2019.01.16.03.14.58; Wed, 16 Jan 2019 03:15:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OPbI2REp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389976AbfAOUrv (ORCPT + 99 others); Tue, 15 Jan 2019 15:47:51 -0500 Received: from mail-vs1-f65.google.com ([209.85.217.65]:35279 "EHLO mail-vs1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728576AbfAOUrv (ORCPT ); Tue, 15 Jan 2019 15:47:51 -0500 Received: by mail-vs1-f65.google.com with SMTP id e7so2537065vsc.2 for ; Tue, 15 Jan 2019 12:47:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fl69mbl3aeJV852DXL+mW58QS5k6Dpd7g/JVmja/bME=; b=OPbI2REp2JERIevczEz3WMraWBonXMUY16IK0bbb/yf8UT6t80Iodm+CLBLJ9gpA2U UK7kf+dLnE6GypVIUZbuffN+hOHm47TNl8OPoZvQt0TKINuxi//be1cM9O5G/nkBzoZj wcpmOOesNLDjhj+994/dl6yroeKS7pN4uHOZs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fl69mbl3aeJV852DXL+mW58QS5k6Dpd7g/JVmja/bME=; b=YMpZW+saTZisAs6PxfkcmmKSZ6DfcyK/jKeK9ZhffmYapVeO3wB8DdPqz5Ma2Fz9XW Zl6IodLoZMnl7AAjPFTpC5b2eOHTFcLp3owonmZunCjarCW0nxC3lYiOOqhdl6yUW5fd n5Zm6LIrWWbicuMuW5F94XhcEOKjQyTFmspTOVuW/XTql1vPzMDpu7diGO4gF/ikaXfI uHsCGCERmkvpwwrfX6gGpoH3eE0DduBWd2X1whYULzDBjcxY0rllmEFNyfBgutGtVTUn 6/Og+1l4lTm0VQbGY4kmmTYl+HjXsqVBHYJnDJMMGlvz3YDG+Fbm5G6hZ2C3txgX4RyC jHvA== X-Gm-Message-State: AJcUukfz3hCFXvccSg0FKbT6DUPd7tBq39zFS/eUkjdo2n9+t6mLg9k0 RWn/AIzyOirD93UsD36GB5NJyDEKMt8= X-Received: by 2002:a67:e89a:: with SMTP id x26mr2312183vsn.80.1547585269221; Tue, 15 Jan 2019 12:47:49 -0800 (PST) Received: from mail-ua1-f47.google.com (mail-ua1-f47.google.com. [209.85.222.47]) by smtp.gmail.com with ESMTPSA id w65sm9133867vsc.16.2019.01.15.12.47.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Jan 2019 12:47:48 -0800 (PST) Received: by mail-ua1-f47.google.com with SMTP id d21so1426397uap.9 for ; Tue, 15 Jan 2019 12:47:47 -0800 (PST) X-Received: by 2002:ab0:740a:: with SMTP id r10mr333734uap.14.1547585267418; Tue, 15 Jan 2019 12:47:47 -0800 (PST) MIME-Version: 1.0 References: <20190112152844.26550-1-w@1wt.eu> In-Reply-To: <20190112152844.26550-1-w@1wt.eu> From: Kees Cook Date: Tue, 15 Jan 2019 12:47:34 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow To: Greg KH Cc: Silvio Cesare , LKML , Dan Carpenter , Will Deacon , Willy Tarreau Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau wrote: > > From: Silvio Cesare > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare > Cc: Dan Carpenter > Cc: Kees Cook > Cc: Will Deacon > Cc: Greg KH > Signed-off-by: Willy Tarreau It looks like these are going via individual trees. Greg, can you please take this into your drivers-misc tree for lkdtm? Acked-by: Kees Cook Thanks! -Kees > > --- > drivers/misc/lkdtm/core.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c > index 2837dc77478e..610aa3bfe630 100644 > --- a/drivers/misc/lkdtm/core.c > +++ b/drivers/misc/lkdtm/core.c > @@ -347,9 +347,9 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, > if (buf == NULL) > return -ENOMEM; > > - n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); > + n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n"); > for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { > - n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", > + n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n", > crashtypes[i].name); > } > buf[n] = '\0'; > -- > 2.19.2 > -- Kees Cook