Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp457299pxb; Wed, 18 Aug 2021 06:23:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWAEkjM+Ccvw3snHpsZHRyzDbj68IfFEB3d8UU9Uq9rUxbYYVIsLm7XPiFP7OlFcXH0zFS X-Received: by 2002:a5d:81c1:: with SMTP id t1mr7144846iol.31.1629293029224; Wed, 18 Aug 2021 06:23:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629293029; cv=none; d=google.com; s=arc-20160816; b=OsoCRV/wZO9cD46CM2+rtoi2Tlq3c2n2VUEKpgsJ6BvG0Pr9PC6hig2f54Zoeue4Zv 3lcHZB7oI2Lq2hgtI6FIXWXk5EBGEH9e3g/wtiXYCdhlGPOjyk56He6BNE24JWpM6ZjP XIvR6/5LiBmRHnNe4xTmXubVr/z65Y88tEuxL9x/Bde1ok5xPqDW0j6L0uL202tsBcYC GZeuXxPPrraEznHOK3RUVte1ObVeGrI0gfo9qzAjEEAWb9GApbyNkyJN+0WqqO8rFd7v LguDwJSjXF/vuV8yo0z084gTExqhy3BoZXr6Y7GjK6GwRgYYNaAJILUH6hu/CdW272EU B3aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=CU1yhlBxfgzhZjP8s0RDeVhay1i47QIWReg2/ZJkbyM=; b=lEDxHpu/PaV8J2Rf5kK7VeSkuQ0k7cuv1qrxoekEMVN9T2cLhiqWucBysLUr3V2Ytl aM5fi0MOCU4nWZGxCPBAuO+cULWqL/qrQWIjijxfMUuFKAY7C5nrJhTFh8ELVgZlOFdq PTX9qMX9iSPYoC1tOlElwNgQ3gR5tRXHeVp7bAav80WgBd6KXOMfv/JIuU0muFgxxFxl DpFu9399+cgdNAiW6KoIRiZynu4Iu9cqx7sFPzTJpVSFKQwfsSxJYwu37x4VY/W/r7ht DaW2zkLXU7c3Xh4Dd6oSw7EBPkcGJD5c4m0m4QAORt6p/PAXBncdgutHnizstTqlQxGk H32w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RndsyT80; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si5204485ioc.46.2021.08.18.06.23.37; Wed, 18 Aug 2021 06:23:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RndsyT80; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236705AbhHRNWg (ORCPT + 99 others); Wed, 18 Aug 2021 09:22:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:35516 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233722AbhHRNWd (ORCPT ); Wed, 18 Aug 2021 09:22:33 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4BE5E61038; Wed, 18 Aug 2021 13:21:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1629292919; bh=5KcLxEBGDXnCm8nVaw+nWKg2bSoQtlfddRDR7GGl9T8=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=RndsyT80eK5peg0Wa+LDP9j9fD87rWPH7qIZCmht5Z5qvvpkhwKs50Efvp8c2W/BZ K2+LUMFBtPNST8VG79B8kQVc1cgq9/I35NIa5fnECRSgdYvvuTxAQWyn3US+50ZCTV 1vziHJFjbAkqMbNUaCBWYVK0Jl11hbfLkpVOubDUJaABhANU08nQKvlBxCmPoC7Ora guCnuc3dI4J3JvT1iBiSmzKP+5O24KcsCV9HQpxwfjMIg+oo8KAhCUkdV3y9RJxlts vvCb7lejSc+JbydRhSD+8s73QeOek/uomkFwZAEoDfGnncaR4CUK33YJgskRdX+C+r qB/9oQlc9TAqQ== Message-ID: <2f3a644e279a8a0933343339fa0add8e76276bf8.camel@kernel.org> Subject: Re: [PATCH] CIFS: Fix a potencially linear read overflow From: Jeff Layton To: Len Baker , Steve French , Suresh Jayaraman Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, Kees Cook , linux-hardening@vger.kernel.org Date: Wed, 18 Aug 2021 09:21:57 -0400 In-Reply-To: <20210817102709.15046-1-len.baker@gmx.com> References: <20210817102709.15046-1-len.baker@gmx.com> Content-Type: text/plain; charset="ISO-8859-15" User-Agent: Evolution 3.40.3 (3.40.3-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2021-08-17 at 12:27 +0200, Len Baker wrote: > strlcpy() reads the entire source buffer first. This read may exceed the > destination size limit. This is both inefficient and can lead to linear > read overflows if a source string is not NUL-terminated. > > Also, the strnlen() call does not avoid the read overflow in the strlcpy > function when a not NUL-terminated string is passed. > > So, replace this block by a call to kstrndup() that avoids this type of > overflow and does the same. > > Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") > Signed-off-by: Len Baker > --- > fs/cifs/cifs_unicode.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c > index 9bd03a231032..171ad8b42107 100644 > --- a/fs/cifs/cifs_unicode.c > +++ b/fs/cifs/cifs_unicode.c > @@ -358,14 +358,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen, > if (!dst) > return NULL; > cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, > - NO_MAP_UNI_RSVD); > + NO_MAP_UNI_RSVD); > } else { > - len = strnlen(src, maxlen); > - len++; > - dst = kmalloc(len, GFP_KERNEL); > - if (!dst) > - return NULL; > - strlcpy(dst, src, len); > + dst = kstrndup(src, maxlen, GFP_KERNEL); > } > > return dst; > -- > 2.25.1 > Reviewed-by: Jeff Layton